Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Digital.msi

Overview

General Information

Sample name:Digital.msi
Analysis ID:1561808
MD5:391a7dcf2ff4af032a8de9b5bfc5b7d9
SHA1:22e2261c6e65f3d95406e66c77d3942d51790417
SHA256:e652634f90f23553d56fa937227c039f8769f9509051a434a14990785a8ab57f
Tags:msiuser-JAMESWT_MHT
Infos:

Detection

AteraAgent
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AteraAgent
AI detected suspicious sample
Changes security center settings (notifications, updates, antivirus, firewall)
Creates files in the system32 config directory
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Adds / modifies Windows certificates
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks for available system drives (often done to infect USB drives)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Deletes files inside the Windows folder
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Drops certificate files (DER)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses code obfuscation techniques (call, push, ret)
Uses net.exe to stop services
Uses taskkill to terminate processes
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

  • System is w10x64
  • svchost.exe (PID: 5264 cmdline: C:\Windows\System32\svchost.exe -k NetworkService -p MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • SgrmBroker.exe (PID: 4860 cmdline: C:\Windows\system32\SgrmBroker.exe MD5: 3BA1A18A0DC30A0545E7765CB97D8E63)
  • svchost.exe (PID: 2884 cmdline: C:\Windows\system32\svchost.exe -k UnistackSvcGroup MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • sppsvc.exe (PID: 5580 cmdline: C:\Windows\system32\sppsvc.exe MD5: 320823F03672CEB82CC3A169989ABD12)
  • msiexec.exe (PID: 6468 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Digital.msi" MD5: E5DA170027542E25EDE42FC54C929077)
  • svchost.exe (PID: 6568 cmdline: C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
  • msiexec.exe (PID: 2636 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)
    • msiexec.exe (PID: 7372 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding BDCEB15B695F7B18E5D384CA0657056F MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • rundll32.exe (PID: 7420 cmdline: rundll32.exe "C:\Windows\Installer\MSIC52A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3851687 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7492 cmdline: rundll32.exe "C:\Windows\Installer\MSIC932.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3852625 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7616 cmdline: rundll32.exe "C:\Windows\Installer\MSIE1CC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3858921 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation MD5: 889B99C52A60DD49227C5E485A016679)
      • rundll32.exe (PID: 7424 cmdline: rundll32.exe "C:\Windows\Installer\MSI1EC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3867125 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd MD5: 889B99C52A60DD49227C5E485A016679)
    • msiexec.exe (PID: 7700 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 698B2CE5FB46AC99A05489DBEDC6273F E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)
      • net.exe (PID: 7736 cmdline: "NET" STOP AteraAgent MD5: 31890A7DE89936F922D44D677F681A7F)
        • conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • net1.exe (PID: 7784 cmdline: C:\Windows\system32\net1 STOP AteraAgent MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
      • taskkill.exe (PID: 7808 cmdline: "TaskKill.exe" /f /im AteraAgent.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)
        • conhost.exe (PID: 7816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AteraAgent.exe (PID: 7876 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="Salim.Jami@korektel.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000KANvwIAH" /AgentId="1db40f91-941c-4bcb-961d-1fe2982e82b6" MD5: 477293F80461713D51A98A24023D45E8)
  • svchost.exe (PID: 3444 cmdline: C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
    • MpCmdRun.exe (PID: 3208 cmdline: "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable MD5: B3676839B2EE96983F9ED735CD044159)
      • conhost.exe (PID: 1520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • AteraAgent.exe (PID: 8040 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)
    • sc.exe (PID: 8164 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)
      • conhost.exe (PID: 8188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7744 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "ef2508c1-c717-4567-98db-ad739433a027" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH MD5: FD9DF72620BCA7C4D48BC105C89DFFD2)
      • conhost.exe (PID: 7828 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 2888 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "4b724461-d5de-45b3-918d-01f1dd7fb803" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH MD5: FD9DF72620BCA7C4D48BC105C89DFFD2)
      • conhost.exe (PID: 4040 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • AgentPackageAgentInformation.exe (PID: 7492 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "bba6296f-630c-4728-badb-dcac66c37446" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH MD5: FD9DF72620BCA7C4D48BC105C89DFFD2)
      • conhost.exe (PID: 3200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Windows\Installer\inprogressinstallinfo.ipiJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
    C:\Windows\Temp\~DF104FF017AE6A1734.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
      C:\Windows\Temp\~DF46B34C8187FE8435.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
        C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLogJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
          C:\Windows\Temp\~DFD18BD80E6999656A.TMPJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
            Click to see the 14 entries

            Memory Dumps

            SourceRuleDescriptionAuthorStrings
            00000014.00000002.2527764895.000001E819F5E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
              0000001F.00000002.2310806719.0000021780073000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                00000019.00000002.1685011781.00000206FF2D0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                  00000019.00000002.1685011781.00000206FF290000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                    00000014.00000002.2527764895.000001E81976F000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                      Click to see the 97 entries

                      Unpacked PEs

                      SourceRuleDescriptionAuthorStrings
                      25.2.AgentPackageAgentInformation.exe.206ff410000.1.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                        19.0.AteraAgent.exe.207e7090000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                          25.0.AgentPackageAgentInformation.exe.206ff100000.0.unpackJoeSecurity_AteraAgentYara detected AteraAgentJoe Security
                            25.0.AgentPackageAgentInformation.exe.206ff100000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security

                              Sigma Signatures

                              Sigma detected: Net.exe Execution
                              Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 698B2CE5FB46AC99A05489DBEDC6273F E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7700, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 7736, ProcessName: net.exe
                              Sigma detected: Stop Windows Service Via Net.EXE
                              Source: Process startedAuthor: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding 698B2CE5FB46AC99A05489DBEDC6273F E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 7700, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 7736, ProcessName: net.exe
                              Sigma detected: Windows Processes Suspicious Parent Directory
                              Source: Process startedAuthor: vburov: Data: Command: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 620, ProcessCommandLine: C:\Windows\System32\svchost.exe -k NetworkService -p, ProcessId: 5264, ProcessName: svchost.exe

                              Suricata Signatures

                              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                              2024-11-24T11:16:27.502084+010028033053Unknown Traffic192.168.2.114976013.232.67.198443TCP
                              2024-11-24T11:16:30.809349+010028033053Unknown Traffic192.168.2.114977613.232.67.198443TCP
                              2024-11-24T11:17:15.973636+010028033053Unknown Traffic192.168.2.114988213.232.67.198443TCP
                              2024-11-24T11:17:26.823639+010028033053Unknown Traffic192.168.2.114991313.232.67.198443TCP
                              2024-11-24T11:17:34.035403+010028033053Unknown Traffic192.168.2.114993413.232.67.198443TCP
                              2024-11-24T11:17:40.734107+010028033053Unknown Traffic192.168.2.114995413.232.67.198443TCP
                              2024-11-24T11:17:43.589048+010028033053Unknown Traffic192.168.2.114996413.232.67.198443TCP
                              2024-11-24T11:17:47.631742+010028033053Unknown Traffic192.168.2.114997713.232.67.198443TCP
                              2024-11-24T11:17:56.523900+010028033053Unknown Traffic192.168.2.115001513.232.67.198443TCP
                              2024-11-24T11:18:05.733018+010028033053Unknown Traffic192.168.2.115005213.232.67.198443TCP
                              2024-11-24T11:18:11.737494+010028033053Unknown Traffic192.168.2.115007313.232.67.198443TCP

                              Joe Sandbox Signatures

                              Click to jump to signature section

                              Show All Signature Results

                              AV Detection

                              barindex
                              Multi AV Scanner detection for dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeReversingLabs: Detection: 26%
                              Multi AV Scanner detection for submitted file
                              Source: Digital.msiReversingLabs: Detection: 28%
                              AI detected suspicious sample
                              Source: Submited SampleIntegrated Neural Analysis Model: Matched 90.2% probability
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLogJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLogJump to behavior
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49751 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49752 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 108.158.75.4:443 -> 192.168.2.11:49778 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49913 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49914 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49934 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49933 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49945 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49976 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49977 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49981 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49986 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50000 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50001 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50017 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50027 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50028 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50064 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50066 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50083 version: TLS 1.2
                              Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000B.00000003.1359603187.0000000003527000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.0000000003528000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbDS9% source: rundll32.exe, 00000018.00000002.1508284798.000000000744E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 00000013.00000000.1387858238.00000207E7092000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.7.dr
                              Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: rundll32.exe, 0000000B.00000003.1359747341.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1508284798.0000000007441000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000019.00000002.1685670421.00000206FF412000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.20.dr
                              Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000B.00000002.1360724551.000000000350E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1359747341.000000000350E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1508284798.000000000744E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: ControlAgentInstallation.pdb source: rundll32.exe, 00000018.00000002.1508284798.000000000744E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: BouncyCastle.Crypto.pdbSHA256 source: BouncyCastle.Crypto.dll.7.dr
                              Source: Binary string: HP7n\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000B.00000002.1360001040.0000000002EA7000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1504607899.00000000008D7000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.12.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr
                              Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 00000013.00000000.1387858238.00000207E7092000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.7.dr
                              Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: System.ValueTuple.dll.7.dr
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbt source: rundll32.exe, 0000000B.00000003.1359603187.000000000353A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.000000000353A000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \Windows\Pubnub.pdbpdbnub.pdb source: AteraAgent.exe, 00000014.00000002.2538937765.000001E832451000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbn source: rundll32.exe, 0000000B.00000003.1359603187.000000000353A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.000000000353A000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 00000014.00000002.2540771863.000001E8327D2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.7.dr
                              Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 00000014.00000002.2540771863.000001E8327D2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.7.dr
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538424812.000001E832162000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.7.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.dr
                              Source: Binary string: \??\C:\Windows\System.pdb. source: rundll32.exe, 0000000B.00000002.1362755613.00000000079A0000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000000.1642250402.00000206FF102000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.20.dr
                              Source: Binary string: \??\C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.pdbl source: rundll32.exe, 0000000B.00000003.1359747341.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.00000000034B6000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb,r source: rundll32.exe, 0000000B.00000002.1360724551.000000000350E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1359747341.000000000350E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.0000000003505000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1359603187.0000000003527000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.0000000003528000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1508284798.0000000007430000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.11.dr, AlphaControlAgentInstallation.dll.10.dr, AlphaControlAgentInstallation.dll.12.dr, AlphaControlAgentInstallation.dll.24.dr
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AgentPackageAgentInformation.exe, 00000019.00000002.1685922917.00000206FF522000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.20.dr
                              Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: rundll32.exe, 0000000B.00000002.1362846095.00000000079DA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1359672372.00000000079D9000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538424812.000001E832162000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1685922917.00000206FF522000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.dr
                              Source: Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdb source: rundll32.exe, 0000000B.00000003.1359603187.000000000353A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.000000000353A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbV source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: System.ValueTuple.dll.7.dr
                              Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, MSIE5E5.tmp.7.dr, MSIE77C.tmp.7.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr
                              Source: Binary string: dows\dll\System.pdb source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.12.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr
                              Source: Binary string: \??\C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.PDB source: rundll32.exe, 0000000B.00000003.1359747341.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.00000000034B6000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.pdbZ source: rundll32.exe, 00000018.00000002.1504791861.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000019.00000002.1685670421.00000206FF412000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.20.dr
                              Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000018.00000002.1508284798.000000000744E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: System.pdb source: rundll32.exe, 0000000B.00000003.1359747341.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1508284798.0000000007441000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: ?CnC:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000B.00000002.1360001040.0000000002EA7000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\dll\System.pdb source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 00000013.00000002.1441634851.00000207E9662000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.7.dr
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 00000013.00000002.1441634851.00000207E9662000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.7.dr
                              Source: Binary string: ?CnC:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000018.00000002.1504607899.00000000008D7000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, MSIC52A.tmp.7.dr, MSI1EC.tmp.7.dr, MSIE1CC.tmp.7.dr, MSIC932.tmp.7.dr
                              Source: Binary string: BouncyCastle.Crypto.pdb source: BouncyCastle.Crypto.dll.7.dr
                              Source: Binary string: \??\C:\Windows\System.pdbo source: rundll32.exe, 00000018.00000002.1504791861.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\dll\System.pdbt source: rundll32.exe, 0000000B.00000003.1359603187.000000000353A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.000000000353A000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000B.00000003.1359747341.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.00000000034B6000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\System.pdbr source: rundll32.exe, 00000018.00000002.1504791861.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdbes source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
                              Source: C:\Windows\System32\msiexec.exeFile opened: z:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: x:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: v:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: t:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: r:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: p:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: n:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: l:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: j:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: h:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: f:Jump to behavior
                              Source: C:\Windows\System32\svchost.exeFile opened: d:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: b:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: y:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: w:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: u:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: s:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: q:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: o:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: m:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: k:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: i:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: g:Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile opened: e:Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile opened: c:
                              Source: C:\Windows\System32\msiexec.exeFile opened: a:Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFE7D101FFFh19_2_00007FFE7D101FCD
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFE7D101873h19_2_00007FFE7D10172D
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFE7D101A44h19_2_00007FFE7D101A34
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFE7D0E4ECBh20_2_00007FFE7D0E4DF6
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFE7D0E227Bh20_2_00007FFE7D0E0C58
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 4x nop then jmp 00007FFE7D0E4ECBh20_2_00007FFE7D0E4E45

                              Networking

                              barindex
                              Yara detected Generic Downloader
                              Source: Yara matchFile source: 25.0.AgentPackageAgentInformation.exe.206ff100000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2babaf61-1d7c-4750-9d20-d0f3040d8dce&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e064dce1-78e9-4ac2-9264-1eb708dbc685&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d7610938-0dca-439e-ac79-774f3c321e97&tr=31&tt=17324433839841529&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c825a3a8-4a36-49ab-b7b0-21c3250f6f58&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?1eP7cXfFABHn+w1g9FFL9eB+/iH5iRCUNriQ2oXlm3Xo4LhMTCSEx95ciwNo/nGQ HTTP/1.1Host: ps.atera.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0950ed73-74e9-4e9c-8f6e-bd3943c07a92&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=21b3579c-1a7e-42af-89a3-d62561119c3f&tr=31&tt=17324433862201175&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=f0169ba0-1470-42de-a8c0-d3acdded414b&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=81ad481d-fe32-40f1-a575-ff3213b02a54&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b56d0227-452e-4f76-a77a-378f095d9d38&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=948125fe-e3cf-42ab-ba34-976a3adf5c80&tr=31&tt=17324434434497982&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=6c5142d1-8eb7-4c24-9754-9b429320ed0d&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d2f98d58-ae77-41cb-bf75-a12c39413b70&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=307e4b22-ae8f-4dc7-a619-34b637c0b56b&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cead9e07-0918-4110-bf73-0cde7886e764&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0f2fcab0-36f7-497d-80c2-ed154ce143d7&tr=31&tt=17324434434497982&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9912033a-6573-4ca2-b350-37c2bc6e22e9&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2834bcd7-fd55-4889-8913-f76d7ffbc034&tr=31&tt=17324434596739146&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=86b5c6de-7733-4db5-b81f-7d902ad87fa7&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2c6e45e8-47f3-4b11-b828-5f7d85987293&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2f5b9f56-7551-421b-9316-301f6079e99e&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c2b41531-6511-4485-b86e-174f0caf9d55&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0b567b7d-02ab-4d8f-b457-87226ecdada3&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c29a5fd2-a31e-449c-a116-6640bd437f2a&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=1549cfbe-4797-4e9b-87ba-b39ddfdb0c6e&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=504e0050-fb3e-4785-b22a-13fb6da05322&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=f7ffddb2-9b76-4bfa-9cc3-f625de546771&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=262560da-847d-4155-9198-8e4ffcd1509c&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a9364c7f-76bc-44d5-9e4a-9e20b519e5f6&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=04073794-9b1a-456b-85fe-6eca65797754&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c1164d1e-bc30-4eb8-888a-782a294ae896&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=de127575-77e7-4719-a128-017012d14d11&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=95a8cc07-d7ac-4863-aa59-e133b0947fc6&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9debe3d6-bd60-48d8-8f32-cac259735cf3&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=248769b3-5b56-419a-86a3-53e6abc6f7ea&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8bd2666e-deba-4537-9847-826117c775e9&tr=31&tt=17324434870174992&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49760 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49776 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49913 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49934 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49977 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50052 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49882 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49964 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50073 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:49954 -> 13.232.67.198:443
                              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.11:50015 -> 13.232.67.198:443
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2babaf61-1d7c-4750-9d20-d0f3040d8dce&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e064dce1-78e9-4ac2-9264-1eb708dbc685&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d7610938-0dca-439e-ac79-774f3c321e97&tr=31&tt=17324433839841529&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c825a3a8-4a36-49ab-b7b0-21c3250f6f58&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?1eP7cXfFABHn+w1g9FFL9eB+/iH5iRCUNriQ2oXlm3Xo4LhMTCSEx95ciwNo/nGQ HTTP/1.1Host: ps.atera.comConnection: Keep-Alive
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0950ed73-74e9-4e9c-8f6e-bd3943c07a92&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=21b3579c-1a7e-42af-89a3-d62561119c3f&tr=31&tt=17324433862201175&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=f0169ba0-1470-42de-a8c0-d3acdded414b&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=81ad481d-fe32-40f1-a575-ff3213b02a54&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b56d0227-452e-4f76-a77a-378f095d9d38&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=948125fe-e3cf-42ab-ba34-976a3adf5c80&tr=31&tt=17324434434497982&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=6c5142d1-8eb7-4c24-9754-9b429320ed0d&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d2f98d58-ae77-41cb-bf75-a12c39413b70&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=307e4b22-ae8f-4dc7-a619-34b637c0b56b&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cead9e07-0918-4110-bf73-0cde7886e764&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0f2fcab0-36f7-497d-80c2-ed154ce143d7&tr=31&tt=17324434434497982&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9912033a-6573-4ca2-b350-37c2bc6e22e9&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2834bcd7-fd55-4889-8913-f76d7ffbc034&tr=31&tt=17324434596739146&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=86b5c6de-7733-4db5-b81f-7d902ad87fa7&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2c6e45e8-47f3-4b11-b828-5f7d85987293&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2f5b9f56-7551-421b-9316-301f6079e99e&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c2b41531-6511-4485-b86e-174f0caf9d55&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0b567b7d-02ab-4d8f-b457-87226ecdada3&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c29a5fd2-a31e-449c-a116-6640bd437f2a&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=1549cfbe-4797-4e9b-87ba-b39ddfdb0c6e&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=504e0050-fb3e-4785-b22a-13fb6da05322&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=f7ffddb2-9b76-4bfa-9cc3-f625de546771&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=262560da-847d-4155-9198-8e4ffcd1509c&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a9364c7f-76bc-44d5-9e4a-9e20b519e5f6&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=04073794-9b1a-456b-85fe-6eca65797754&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c1164d1e-bc30-4eb8-888a-782a294ae896&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=de127575-77e7-4719-a128-017012d14d11&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=95a8cc07-d7ac-4863-aa59-e133b0947fc6&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9debe3d6-bd60-48d8-8f32-cac259735cf3&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Host: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=248769b3-5b56-419a-86a3-53e6abc6f7ea&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficHTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8bd2666e-deba-4537-9847-826117c775e9&tr=31&tt=17324434870174992&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
                              Source: global trafficDNS traffic detected: DNS query: agent-api.atera.com
                              Source: global trafficDNS traffic detected: DNS query: ps.pndsn.com
                              Source: global trafficDNS traffic detected: DNS query: ps.atera.com
                              Source: AteraAgent.exe, 00000013.00000000.1387858238.00000207E7092000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819701000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe.7.drString found in binary or memory: http://acontrol.atera.com/
                              Source: rundll32.exe, 0000000B.00000002.1361716036.00000000050F5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F76000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819E96000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F64000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004B25000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1683949683.00000206807AF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2138610160.0000029FBEF1F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2310806719.000002178012F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://agent-api.atera.com
                              Source: rundll32.exe, 0000000B.00000002.1361716036.00000000050F5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F76000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819E96000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F64000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004B25000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1683949683.00000206807AF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2138610160.0000029FBEF1F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2310806719.000002178012F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://atera-agent-api-eu.westeurope.cloudapp.azure.com
                              Source: AgentPackageAgentInformation.exe, 00000019.00000002.1684646622.0000020698EC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digic
                              Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E8323E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832451000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, Newtonsoft.Json.dll.11.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, Newtonsoft.Json.dll.12.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, AteraAgent.exe.7.dr, Atera.AgentPackage.Common.dll.20.dr, AgentPackageAgentInformation.exe.20.dr, Newtonsoft.Json.dll.10.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.drString found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp, C56C4404C4DEF0DC88E5FCD9F09CB2F10.20.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
                              Source: AteraAgent.exe, 00000013.00000002.1442020812.00000207E9909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832411000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, AteraAgent.exe.7.dr, Atera.AgentPackage.Common.dll.20.dr, AgentPackageAgentInformation.exe.20.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2537602873.000001E831EF2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, Newtonsoft.Json.dll.11.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, Newtonsoft.Json.dll.12.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, AteraAgent.exe.7.dr, Atera.AgentPackage.Common.dll.20.dr, AgentPackageAgentInformation.exe.20.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                              Source: F2E248BEDDBB2D85122423C41028BFD40.20.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E8328B4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E8323A9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1684646622.0000020698EC8000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2139861826.0000029FD76C8000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2139861826.0000029FD7707000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2313248343.00000217F0D70000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2313248343.00000217F0E11000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, Newtonsoft.Json.dll.11.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, Newtonsoft.Json.dll.12.dr, ICSharpCode.SharpZipLib.dll.7.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.drString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
                              Source: rundll32.exe, 0000000B.00000002.1362755613.00000000079CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsofty
                              Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9629000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/
                              Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832451000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, Newtonsoft.Json.dll.11.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, Newtonsoft.Json.dll.12.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, AteraAgent.exe.7.dr, Atera.AgentPackage.Common.dll.20.dr, AgentPackageAgentInformation.exe.20.dr, Newtonsoft.Json.dll.10.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.drString found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.drString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
                              Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9639000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1442020812.00000207E98F6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E95E4000.00000004.00000020.00020000.00000000.sdmp, 1A374813EDB1A6631387E414D3E732320.20.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                              Source: AteraAgent.exe, 00000013.00000002.1442020812.00000207E9909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832411000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, AteraAgent.exe.7.dr, Atera.AgentPackage.Common.dll.20.dr, AgentPackageAgentInformation.exe.20.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                              Source: AteraAgent.exe, 00000013.00000002.1442020812.00000207E98F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl;
                              Source: AteraAgent.exe, 00000013.00000002.1442020812.00000207E98F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlK
                              Source: AteraAgent.exe, 00000013.00000002.1442020812.00000207E98F6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlV
                              Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9612000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlhttp://crl4.digicert.co
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2537602873.000001E831EF2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, Newtonsoft.Json.dll.11.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, Newtonsoft.Json.dll.12.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, AteraAgent.exe.7.dr, Atera.AgentPackage.Common.dll.20.dr, AgentPackageAgentInformation.exe.20.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                              Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9639000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E9629000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832370000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
                              Source: AgentPackageAgentInformation.exe.20.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.20.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                              Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlL
                              Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9639000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crln
                              Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9629000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlr
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.drString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
                              Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9629000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/ec
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
                              Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9639000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlche
                              Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9639000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedRootG4.crllorer
                              Source: AgentPackageAgentInformation.exe, 00000019.00000002.1684646622.0000020698EC8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.x
                              Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9629000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/2
                              Source: AteraAgent.exe, 00000014.00000002.2537602873.000001E831F1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/D6
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                              Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E83243D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertT#
                              Source: AteraAgent.exe, 00000013.00000002.1442020812.00000207E98F6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E95E4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
                              Source: AteraAgent.exe, 00000013.00000002.1442020812.00000207E9909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832411000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, AteraAgent.exe.7.dr, Atera.AgentPackage.Common.dll.20.dr, AgentPackageAgentInformation.exe.20.drString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                              Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9639000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlg5
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crltiCh
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.drString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
                              Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9639000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crld
                              Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E832411000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
                              Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E832370000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2537602873.000001E831F9E000.00000004.00000020.00020000.00000000.sdmp, 77EC63BDA74BD0D0E0426DC8F80085060.20.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
                              Source: AteraAgent.exe, 00000014.00000002.2537602873.000001E831FC2000.00000004.00000020.00020000.00000000.sdmp, 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.19.drString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
                              Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E8324F5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2537602873.000001E831F9E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d9fc572
                              Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E83252B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?d9fc
                              Source: AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000000.1642250402.00000206FF102000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.20.drString found in binary or memory: http://dl.google.com/googletalk/googletalk-setup.exe
                              Source: Newtonsoft.Json.dll.24.drString found in binary or memory: http://james.newtonking.com/projects/json
                              Source: rundll32.exe, 0000000B.00000002.1362755613.00000000079CE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1508284798.0000000007430000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://msdn.mi
                              Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9629000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832411000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/
                              Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E832411000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/--4
                              Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E95E4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2537602873.000001E831F1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
                              Source: 698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB0.19.drString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxL
                              Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E832370000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2537602873.000001E831F1C000.00000004.00000020.00020000.00000000.sdmp, C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141.19.drString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
                              Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E832411000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/Q-
                              Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E832411000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com/U-
                              Source: AteraAgent.exe, 00000013.00000002.1442020812.00000207E9909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832411000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, AteraAgent.exe.7.dr, Atera.AgentPackage.Common.dll.20.dr, AgentPackageAgentInformation.exe.20.drString found in binary or memory: http://ocsp.digicert.com0
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E8328B4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E8323A9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1684646622.0000020698EC8000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2139861826.0000029FD76C8000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2139861826.0000029FD7707000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2313248343.00000217F0D70000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2313248343.00000217F0E11000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, Newtonsoft.Json.dll.11.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, Newtonsoft.Json.dll.12.dr, ICSharpCode.SharpZipLib.dll.7.drString found in binary or memory: http://ocsp.digicert.com0A
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832451000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, Newtonsoft.Json.dll.11.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Newtonsoft.Json.dll.12.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, Newtonsoft.Json.dll.7.drString found in binary or memory: http://ocsp.digicert.com0C
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0K
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.drString found in binary or memory: http://ocsp.digicert.com0N
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, Newtonsoft.Json.dll.11.dr, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Newtonsoft.Json.dll.12.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, Newtonsoft.Json.dll.10.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr, Newtonsoft.Json.dll.24.drString found in binary or memory: http://ocsp.digicert.com0O
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2537602873.000001E831EF2000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, Newtonsoft.Json.dll.11.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, Newtonsoft.Json.dll.12.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, AteraAgent.exe.7.dr, Atera.AgentPackage.Common.dll.20.dr, AgentPackageAgentInformation.exe.20.drString found in binary or memory: http://ocsp.digicert.com0X
                              Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E8323E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRS
                              Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E832370000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                              Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E95E4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF
                              Source: AteraAgent.exe, 00000014.00000002.2537602873.000001E831F1C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7Nfjgt
                              Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E83252B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com:80l
                              Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
                              Source: AteraAgent.exe, 00000014.00000002.2538937765.000001E832370000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
                              Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2537602873.000001E831F1C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E8323E3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819E39000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819D56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ps.pndsn.com
                              Source: AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org
                              Source: AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
                              Source: AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
                              Source: rundll32.exe, 0000000B.00000002.1361716036.0000000005031000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.00000000050D4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819701000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004A61000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1683949683.0000020680703000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2138610160.0000029FBEEAF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2310806719.00000217800BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.drString found in binary or memory: http://wixtoolset.org
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.12.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, Microsoft.Deployment.WindowsInstaller.dll.24.drString found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.12.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, Microsoft.Deployment.WindowsInstaller.dll.24.drString found in binary or memory: http://wixtoolset.org/news/
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.12.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, Microsoft.Deployment.WindowsInstaller.dll.24.drString found in binary or memory: http://wixtoolset.org/releases/
                              Source: svchost.exe, 00000000.00000002.1374419257.000001E3B9413000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.bingmapsportal.com
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1442020812.00000207E9909000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832411000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, BouncyCastle.Crypto.dll.7.dr, Newtonsoft.Json.dll.11.dr, 3ac317.msi.7.dr, Pubnub.dll.7.dr, 3ac319.msi.7.dr, System.ValueTuple.dll.7.dr, Newtonsoft.Json.dll.12.dr, ICSharpCode.SharpZipLib.dll.7.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, AteraAgent.exe.7.drString found in binary or memory: http://www.digicert.com/CPS0
                              Source: AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.o
                              Source: AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.w3.oh
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F5E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F7C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.P
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819E96000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.PR
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F64000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.Pj
                              Source: rundll32.exe, 0000000B.00000002.1361716036.00000000050D4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.aterD
                              Source: rundll32.exe, 00000018.00000002.1506275968.0000000004B07000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.aterDj
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.0000000005031000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.00000000050D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F5E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819701000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819DF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F64000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819E02000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004A61000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1683949683.0000020680703000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2138610160.0000029FBEEAF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2310806719.00000217800BF000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.11.dr, AlphaControlAgentInstallation.dll.10.dr, AlphaControlAgentInstallation.dll.12.dr, AlphaControlAgentInstallation.dll.24.drString found in binary or memory: https://agent-api.atera.com
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.0000000005031000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.00000000050D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004A61000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.11.dr, AlphaControlAgentInstallation.dll.10.dr, AlphaControlAgentInstallation.dll.12.dr, AlphaControlAgentInstallation.dll.24.drString found in binary or memory: https://agent-api.atera.com/
                              Source: AgentPackageAgentInformation.exe, 00000019.00000002.1683949683.0000020680703000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2138610160.0000029FBEEAF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2310806719.00000217800BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.0000000005031000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.00000000050D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004A61000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.11.dr, AlphaControlAgentInstallation.dll.10.dr, AlphaControlAgentInstallation.dll.12.dr, AlphaControlAgentInstallation.dll.24.drString found in binary or memory: https://agent-api.atera.com/Production/Agent/
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/Acknowl
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommands
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819962000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommandsdTAw
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/Age
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F5E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819DF6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting)
                              Source: AgentPackageAgentInformation.exe, 00000019.00000002.1683949683.0000020680703000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2138610160.0000029FBEEAF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2310806719.00000217800BF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResult
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetComm
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819AED000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819962000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819FBB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F7C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback)
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback0
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819701000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetEnvironmentStatus
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F5E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurrin
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819E02000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesckd
                              Source: rundll32.exe, 0000000B.00000002.1361716036.0000000005031000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.00000000050D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004A61000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004B07000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event
                              Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
                              Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
                              Source: svchost.exe, 00000000.00000003.1371490489.000001E3B946E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375108049.000001E3B9470000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372392939.000001E3B945A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1374973934.000001E3B9463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372007687.000001E3B9462000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372112615.000001E3B945F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
                              Source: svchost.exe, 00000000.00000003.1371490489.000001E3B946E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375108049.000001E3B9470000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
                              Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
                              Source: svchost.exe, 00000000.00000003.1371948365.000001E3B9467000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375057722.000001E3B9468000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
                              Source: svchost.exe, 00000000.00000003.1371274246.000001E3B9475000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375147214.000001E3B9477000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
                              Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
                              Source: svchost.exe, 00000000.00000002.1374477527.000001E3B942B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372392939.000001E3B945A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1374973934.000001E3B9463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372007687.000001E3B9462000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
                              Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
                              Source: svchost.exe, 00000000.00000002.1374477527.000001E3B942B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371948365.000001E3B9467000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375057722.000001E3B9468000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
                              Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
                              Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
                              Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
                              Source: svchost.exe, 00000000.00000002.1374477527.000001E3B942B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1374973934.000001E3B9463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372007687.000001E3B9462000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
                              Source: svchost.exe, 00000000.00000002.1374663965.000001E3B9442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372481147.000001E3B9441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
                              Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
                              Source: svchost.exe, 00000000.00000002.1374663965.000001E3B9442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372481147.000001E3B9441000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1374973934.000001E3B9463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372007687.000001E3B9462000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
                              Source: svchost.exe, 00000000.00000002.1374419257.000001E3B9413000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1374973934.000001E3B9463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372007687.000001E3B9462000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
                              Source: svchost.exe, 00000000.00000003.1372481147.000001E3B9441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
                              Source: svchost.exe, 00000000.00000002.1374973934.000001E3B9463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372007687.000001E3B9462000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
                              Source: svchost.exe, 00000000.00000002.1374663965.000001E3B9442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372481147.000001E3B9441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
                              Source: svchost.exe, 00000000.00000003.1372112615.000001E3B945F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t
                              Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
                              Source: svchost.exe, 00000000.00000003.1270871997.000001E3B9436000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
                              Source: svchost.exe, 00000000.00000002.1374477527.000001E3B942B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371948365.000001E3B9467000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375057722.000001E3B9468000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538424812.000001E832162000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1685922917.00000206FF522000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.drString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
                              Source: System.ValueTuple.dll.7.drString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
                              Source: System.ValueTuple.dll.7.drString found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
                              Source: AteraAgent.exe, 00000014.00000002.2540771863.000001E8327D2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.7.drString found in binary or memory: https://github.com/icsharpcode/SharpZipLib
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageA
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819962000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageA3
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819962000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageA3RuZ
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E81989A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197DF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAgentI
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscovery
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.z
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformati
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.z
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscove
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/20.9/AgentPackageOsUpdates.zip
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/26.3/AgentPackageProgramManage
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalle
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/24.2/AgentPackageSTRemote.zip
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.8/AgentPackageSystemTools.zip
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.1/AgentPackageTicketing.zip
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.6/AgentPackageUpgradeAgent.zip
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zip
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zip
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zip
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentI
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformation
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageNetworkDiscovery/15.0/AgentPackageNetworkDiscovery
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTaskScheduler/13.1/AgentPackageTaskScheduler.zip
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819AED000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819DFC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819FBD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819E06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E81978C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819AED000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819E39000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819D56000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819FBD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819E06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=04073794-9b1a-456b-85fe-6eca65797754
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=1549cfbe-4797-4e9b-87ba-b39ddfdb0c6e
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E81978C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2babaf61-1d7c-4750-9d20-d0f3040d8dce
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=6c5142d1-8eb7-4c24-9754-9b429320ed0d
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819962000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=86b5c6de-7733-4db5-b81f-7d902ad87fa7
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819962000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9912033a-6573-4ca2-b350-37c2bc6e22e9
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819E06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9debe3d6-bd60-48d8-8f32-cac259735cf3
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b56d0227-452e-4f76-a77a-378f095d9d38
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cead9e07-0918-4110-bf73-0cde7886e764
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=f0169ba0-1470-42de-a8c0-d3acdded414b
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/pres
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ch
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819E06000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscrib
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819962000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-b
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E819FBD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d
                              Source: AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ps.pndsn.com/v22
                              Source: svchost.exe, 00000000.00000003.1372481147.000001E3B9441000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
                              Source: svchost.exe, 00000000.00000003.1270871997.000001E3B9436000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
                              Source: svchost.exe, 00000000.00000003.1270871997.000001E3B9436000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
                              Source: svchost.exe, 00000000.00000003.1372202185.000001E3B945D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
                              Source: svchost.exe, 00000000.00000002.1374477527.000001E3B942B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
                              Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
                              Source: svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.drString found in binary or memory: https://www.digicert.com/CPS0
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.drString found in binary or memory: https://www.newtonsoft.com/json
                              Source: Newtonsoft.Json.dll.24.drString found in binary or memory: https://www.newtonsoft.com/jsonschema
                              Source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538424812.000001E832162000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1685922917.00000206FF522000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.drString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49986
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50017
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49945 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49981
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50017 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50053
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50016
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50015
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50052 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49965 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49977 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49934
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49933
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49977
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49778
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49976
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50028
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50064 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49891
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49954 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50064
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50066
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49988 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50027
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50000 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49964 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50053 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49981 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50073
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49882 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49965
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49964
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50038 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49976 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49882
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49760
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50015 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50076
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49989 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49760 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50076 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50038
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50001 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49986 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49914 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50073 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49933 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50028 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50083
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50041
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50066 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49914
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49778 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49913
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50083 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49955
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49954
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49891 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50016 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50041 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50001
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50000
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49913 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49934 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 50027 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 50052
                              Source: unknownNetwork traffic detected: HTTP traffic on port 49955 -> 443
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49945
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49989
                              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49988
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49751 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49752 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 108.158.75.4:443 -> 192.168.2.11:49778 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49913 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49914 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49934 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49933 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49945 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49976 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49977 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49981 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:49986 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50000 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50001 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50017 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50027 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50028 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50064 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50066 version: TLS 1.2
                              Source: unknownHTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.11:50083 version: TLS 1.2
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4Jump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to dropped file

                              Spam, unwanted Advertisements and Ransom Demands

                              barindex
                              Reads the Security eventlog
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SecurityJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AlphaAgent
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AlphaAgent
                              Reads the System eventlog
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\SystemJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AlphaAgent
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AlphaAgent
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3ac317.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC52A.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC932.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE1CC.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\inprogressinstallinfo.ipiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE5D4.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE5E5.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE77C.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE8F4.tmpJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3ac319.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\3ac319.msiJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1EC.tmpJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC52A.tmp-Jump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC52A.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC52A.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC52A.tmp-\Newtonsoft.Json.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC52A.tmp-\System.Management.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC52A.tmp-\CustomAction.configJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC932.tmp-Jump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC932.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC932.tmp-\Newtonsoft.Json.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC932.tmp-\System.Management.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC932.tmp-\CustomAction.configJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE1CC.tmp-Jump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE1CC.tmp-\AlphaControlAgentInstallation.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE1CC.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE1CC.tmp-\Newtonsoft.Json.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE1CC.tmp-\System.Management.dllJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE1CC.tmp-\CustomAction.configJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLogJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1A374813EDB1A6631387E414D3E73232
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1A374813EDB1A6631387E414D3E73232
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1EC.tmp-
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1EC.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1EC.tmp-\Newtonsoft.Json.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1EC.tmp-\System.Management.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1EC.tmp-\CustomAction.config
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                              Source: C:\Windows\System32\msiexec.exeFile deleted: C:\Windows\Installer\MSIC52A.tmpJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_3_074571D011_3_074571D0
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 11_3_0745004011_3_07450040
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_3_04AF50B812_3_04AF50B8
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_3_04AF59A812_3_04AF59A8
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 12_3_04AF4D6812_3_04AF4D68
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 20_2_00007FFE7D0E0C5820_2_00007FFE7D0E0C58
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_3_06EC767824_3_06EC7678
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_3_06EC004024_3_06EC0040
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 25_2_00007FFE7D1112CF25_2_00007FFE7D1112CF
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFE7D0F12CF29_2_00007FFE7D0F12CF
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 31_2_00007FFE7D1012CF31_2_00007FFE7D1012CF
                              Source: Joe Sandbox ViewDropped File: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                              Source: Digital.msiBinary or memory string: OriginalFilenameAlphaControlAgentInstallation.dll\ vs Digital.msi
                              Source: Digital.msiBinary or memory string: OriginalFilenameSfxCA.dll\ vs Digital.msi
                              Source: Digital.msiBinary or memory string: OriginalFilenamewixca.dll\ vs Digital.msi
                              Source: AteraAgent.exe.7.dr, SignatureValidator.csBase64 encoded string: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YmxeR/2wifvwd/MQXb/5tsLsvlMs50tmraklX8MKsU1EgEpRZ+W0Ro1ZHoLhQG53oq9hPz9bmJge78yZr6l1QJWz6wCj+yQUxM5f0gt4fHEf2yA94Tklnds7JPr2vQRb5rjAnxnt7722oWFc1bxFFsIcIhOI/EHYCE0qSPE1pKMXALkHZYoDQEFUu3YgEc0Oo7ClJNFrB75g6tVZRqGKxVvYQBb9zKDxhBRnDkhZuB7D1gRaR9PNwCr7tVtPt40c+CCf5ktUkeu4JzaiEipWvKYgRvotqsFtZF5uFso2UmdvxO+lIw9i/GPDfgS4JhKu/Y9lCuaan+xEluhSK0vpQIDAQAB'
                              Source: classification engineClassification label: mal92.troj.spyw.evad.winMSI@46/83@12/2
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA NetworksJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.logJump to behavior
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:7828:120:WilError_03
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMutant created: NULL
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7744:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:4040:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:3200:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:8188:120:WilError_03
                              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7816:120:WilError_03
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
                              Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:1520:120:WilError_03
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\TEMP\~DF355F8EAD7962411B.TMPJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = &quot;AteraAgent.exe&quot;)
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile read: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                              Source: C:\Windows\System32\msiexec.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIC52A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3851687 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                              Source: Digital.msiStatic file information: TRID: Microsoft Windows Installer (60509/1) 57.88%
                              Source: Digital.msiReversingLabs: Detection: 28%
                              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
                              Source: unknownProcess created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
                              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                              Source: unknownProcess created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
                              Source: unknownProcess created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Digital.msi"
                              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                              Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                              Source: unknownProcess created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BDCEB15B695F7B18E5D384CA0657056F
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIC52A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3851687 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIC932.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3852625 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIE1CC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3858921 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 698B2CE5FB46AC99A05489DBEDC6273F E Global\MSI0000
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                              Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
                              Source: C:\Windows\SysWOW64\taskkill.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="Salim.Jami@korektel.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000KANvwIAH" /AgentId="1db40f91-941c-4bcb-961d-1fe2982e82b6"
                              Source: unknownProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                              Source: C:\Windows\System32\sc.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI1EC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3867125 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "ef2508c1-c717-4567-98db-ad739433a027" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH
                              Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "4b724461-d5de-45b3-918d-01f1dd7fb803" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "bba6296f-630c-4728-badb-dcac66c37446" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding BDCEB15B695F7B18E5D384CA0657056FJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 698B2CE5FB46AC99A05489DBEDC6273F E Global\MSI0000Jump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="Salim.Jami@korektel.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000KANvwIAH" /AgentId="1db40f91-941c-4bcb-961d-1fe2982e82b6"Jump to behavior
                              Source: C:\Windows\System32\svchost.exeProcess created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenableJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIC52A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3851687 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentIdJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIC932.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3852625 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStartJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIE1CC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3858921 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallationJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI1EC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3867125 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEndJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgentJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgentJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "ef2508c1-c717-4567-98db-ad739433a027" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "4b724461-d5de-45b3-918d-01f1dd7fb803" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "bba6296f-630c-4728-badb-dcac66c37446" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH
                              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: moshost.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: mapsbtsvc.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: mosstorage.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: ztrace_maps.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: bcp47langs.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: mapconfiguration.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: aphostservice.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: networkhelper.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: userdataplatformhelperutil.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: mccspal.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: umpdc.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: syncutil.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: vaultcli.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: dmcfgutils.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: msvcp110_win.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: dmcmnutils.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: dmxmlhelputils.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: policymanager.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: xmllite.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: inproclogger.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: flightsettings.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: windows.networking.connectivity.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: npmproxy.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: msv1_0.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: ntlmshared.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: cryptdll.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: synccontroller.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: pimstore.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: aphostclient.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: accountaccessor.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: dsclient.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: powrprof.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: systemeventsbrokerclient.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: userdatalanguageutil.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: mccsengineshared.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: cemapi.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: userdatatypehelperutil.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: phoneutil.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: execmodelproxy.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: rmclient.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: srpapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: textinputframework.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: coreuicomponents.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: coremessaging.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wintypes.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: textshaping.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msihnd.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: storsvc.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: devobj.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: fltlib.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: bcd.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: wer.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: appxdeploymentclient.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: storageusage.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\svchost.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: tsappcmp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: netapi32.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: srclient.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: spp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: powrprof.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: vssapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: vsstrace.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: umpdc.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: msisip.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: rstrtmgr.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ncrypt.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ntasn1.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: pcacli.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: ntmarta.dllJump to behavior
                              Source: C:\Windows\System32\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: cabinet.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: aclayers.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: sfc_os.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: msi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: version.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: mpr.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: framedynos.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: dbghelp.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: winsta.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: uxtheme.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: riched20.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: usp10.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msls31.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dllJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: propsys.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: edputil.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: urlmon.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iertutil.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: srvcli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: netutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: windows.staterepositoryps.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sspicli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wintypes.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: appresolver.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: bcp47langs.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: slc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: userenv.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: sppc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecorecommonproxystub.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: onecoreuapcommonproxystub.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasapi32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasman.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rtutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mswsock.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winhttp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: iphlpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: dnsapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: winnsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: rasadhlp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: fwpuclnt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: secur32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: schannel.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: mskeyprotect.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ntasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncrypt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: ncryptsslp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: msasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: gpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: amsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cryptnet.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: webio.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: cabinet.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeSection loaded: apphelp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: apphelp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: mpclient.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: secur32.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sspicli.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: version.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: msasn1.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: userenv.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: gpapi.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: amsi.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: profapi.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: wscapi.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: urlmon.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: iertutil.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: srvcli.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: netutils.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: slc.dll
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeSection loaded: sppc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mscoree.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: kernel.appcore.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: version.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: vcruntime140_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ucrtbase_clr0400.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptsp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rsaenh.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: cryptbase.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: windows.storage.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wldp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: profapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: wbemcomn.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: amsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: userenv.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasapi32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasman.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rtutils.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mswsock.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winhttp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ondemandconnroutehelper.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: iphlpapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc6.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dhcpcsvc.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: dnsapi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: winnsi.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: rasadhlp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: fwpuclnt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: secur32.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: sspicli.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: schannel.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: mskeyprotect.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ntasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncrypt.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: ncryptsslp.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: msasn1.dll
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeSection loaded: gpapi.dll
                              Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile written: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
                              Source: Digital.msiStatic file information: File size 2994176 > 1048576
                              Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000B.00000003.1359603187.0000000003527000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.0000000003528000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdbDS9% source: rundll32.exe, 00000018.00000002.1508284798.000000000744E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 00000013.00000000.1387858238.00000207E7092000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.7.dr
                              Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: rundll32.exe, 0000000B.00000003.1359747341.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1508284798.0000000007441000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000019.00000002.1685670421.00000206FF412000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.20.dr
                              Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000B.00000002.1360724551.000000000350E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1359747341.000000000350E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1508284798.000000000744E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: ControlAgentInstallation.pdb source: rundll32.exe, 00000018.00000002.1508284798.000000000744E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: BouncyCastle.Crypto.pdbSHA256 source: BouncyCastle.Crypto.dll.7.dr
                              Source: Binary string: HP7n\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000B.00000002.1360001040.0000000002EA7000.00000004.00000010.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1504607899.00000000008D7000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.12.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr
                              Source: Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 00000013.00000000.1387858238.00000207E7092000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.7.dr
                              Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: System.ValueTuple.dll.7.dr
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbt source: rundll32.exe, 0000000B.00000003.1359603187.000000000353A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.000000000353A000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \Windows\Pubnub.pdbpdbnub.pdb source: AteraAgent.exe, 00000014.00000002.2538937765.000001E832451000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbn source: rundll32.exe, 0000000B.00000003.1359603187.000000000353A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.000000000353A000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 00000014.00000002.2540771863.000001E8327D2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.7.dr
                              Source: Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 00000014.00000002.2540771863.000001E8327D2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.7.dr
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538424812.000001E832162000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.7.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.dr
                              Source: Binary string: \??\C:\Windows\System.pdb. source: rundll32.exe, 0000000B.00000002.1362755613.00000000079A0000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000000.1642250402.00000206FF102000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.20.dr
                              Source: Binary string: \??\C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.pdbl source: rundll32.exe, 0000000B.00000003.1359747341.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.00000000034B6000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb,r source: rundll32.exe, 0000000B.00000002.1360724551.000000000350E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1359747341.000000000350E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.0000000003505000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1359603187.0000000003527000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.0000000003528000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1508284798.0000000007430000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.11.dr, AlphaControlAgentInstallation.dll.10.dr, AlphaControlAgentInstallation.dll.12.dr, AlphaControlAgentInstallation.dll.24.dr
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AgentPackageAgentInformation.exe, 00000019.00000002.1685922917.00000206FF522000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.20.dr
                              Source: Binary string: C:\Windows\System.pdbpdbtem.pdb source: rundll32.exe, 0000000B.00000002.1362846095.00000000079DA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1359672372.00000000079D9000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538424812.000001E832162000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1685922917.00000206FF522000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.11.dr, Newtonsoft.Json.dll.12.dr, Newtonsoft.Json.dll.20.dr, Newtonsoft.Json.dll.7.dr, Newtonsoft.Json.dll.10.dr, Newtonsoft.Json.dll.24.dr
                              Source: Binary string: C:\Windows\AlphaControlAgentInstallation.pdbpdbion.pdb source: rundll32.exe, 0000000B.00000003.1359603187.000000000353A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.000000000353A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdbV source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: System.ValueTuple.dll.7.dr
                              Source: Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, MSIE5E5.tmp.7.dr, MSIE77C.tmp.7.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.dr
                              Source: Binary string: dows\dll\System.pdb source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.12.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr
                              Source: Binary string: \??\C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.PDB source: rundll32.exe, 0000000B.00000003.1359747341.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.00000000034B6000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.pdbZ source: rundll32.exe, 00000018.00000002.1504791861.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000019.00000002.1685670421.00000206FF412000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.20.dr
                              Source: Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000018.00000002.1508284798.000000000744E000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: System.pdb source: rundll32.exe, 0000000B.00000003.1359747341.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1508284798.0000000007441000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: ?CnC:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000B.00000002.1360001040.0000000002EA7000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\dll\System.pdb source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 00000013.00000002.1441634851.00000207E9662000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.7.dr
                              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 00000013.00000002.1441634851.00000207E9662000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.7.dr
                              Source: Binary string: ?CnC:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000018.00000002.1504607899.00000000008D7000.00000004.00000010.00020000.00000000.sdmp
                              Source: Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, MSIC52A.tmp.7.dr, MSI1EC.tmp.7.dr, MSIE1CC.tmp.7.dr, MSIC932.tmp.7.dr
                              Source: Binary string: BouncyCastle.Crypto.pdb source: BouncyCastle.Crypto.dll.7.dr
                              Source: Binary string: \??\C:\Windows\System.pdbo source: rundll32.exe, 00000018.00000002.1504791861.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\dll\System.pdbt source: rundll32.exe, 0000000B.00000003.1359603187.000000000353A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.000000000353A000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000B.00000003.1359747341.00000000034B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360724551.00000000034B6000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\System.pdbr source: rundll32.exe, 00000018.00000002.1504791861.0000000000C57000.00000004.00000020.00020000.00000000.sdmp
                              Source: Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdbes source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmp
                              Source: BouncyCastle.Crypto.dll.7.drStatic PE information: 0xE49A52B3 [Sun Jul 15 06:22:43 2091 UTC]
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 19_2_00007FFE7D1000BD pushad ; iretd 19_2_00007FFE7D1000C1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 20_2_00007FFE7D0E00BD pushad ; iretd 20_2_00007FFE7D0E00C1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 20_2_00007FFE7D2F0F64 push eax; ret 20_2_00007FFE7D2F0F94
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeCode function: 20_2_00007FFE7D2F0F38 push eax; ret 20_2_00007FFE7D2F0F94
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_3_06DE57B8 push es; ret 24_3_06DE5840
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_3_06DE4E90 push es; ret 24_3_06DE4EA0
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_3_06DE4EB0 push es; ret 24_3_06DE4EA0
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_3_06DE58D1 push es; ret 24_3_06DE58E0
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_3_06DE58F0 push es; ret 24_3_06DE5900
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_3_06DE58B0 push es; ret 24_3_06DE58C0
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_3_06DE5910 push es; ret 24_3_06DE5920
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_3_06EC84A1 push es; ret 24_3_06EC84B0
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_3_06EC18F0 push es; ret 24_3_06EC1900
                              Source: C:\Windows\SysWOW64\rundll32.exeCode function: 24_3_06EC1961 push es; ret 24_3_06EC1970
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 25_2_00007FFE7D1100BD pushad ; iretd 25_2_00007FFE7D1100C1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 29_2_00007FFE7D0F00BD pushad ; iretd 29_2_00007FFE7D0F00C1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeCode function: 31_2_00007FFE7D1000BD pushad ; iretd 31_2_00007FFE7D1000C1

                              Persistence and Installation Behavior

                              barindex
                              Creates files in the system32 config directory
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEBJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1A374813EDB1A6631387E414D3E73232
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1A374813EDB1A6631387E414D3E73232
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeFile created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1EC.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE1CC.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC52A.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE8F4.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE5E5.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE1CC.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1EC.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC932.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC52A.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC52A.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC932.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC932.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE1CC.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC52A.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC52A.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1EC.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC932.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE77C.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE1CC.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1EC.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE1CC.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC932.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSI1EC.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC932.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE1CC.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIC52A.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE8F4.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE5E5.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE1CC.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE1CC.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1EC.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC52A.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC932.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC52A.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC52A.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1EC.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC932.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE77C.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIE1CC.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSI1EC.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\Installer\MSIC52A.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeFile created: C:\Windows\Installer\MSIE1CC.tmpJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Windows\system32\InstallUtil.InstallLogJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeFile created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLogJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\ApplicationJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeKey value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob
                              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\System32\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Windows\SysWOW64\taskkill.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess information set: NOOPENFILEERRORBOX

                              Malware Analysis System Evasion

                              barindex
                              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 207E73F0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 207E8DB0000 memory reserve | memory write watchJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 1E8195F0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeMemory allocated: 1E831700000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 206804C0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 20698680000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 29FBE770000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 29FD6DF0000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 217F0020000 memory reserve | memory write watch
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeMemory allocated: 217F0600000 memory reserve | memory write watch
                              Source: C:\Windows\System32\svchost.exeFile opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 6434
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWindow / User API: threadDelayed 3126
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1EC.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE1CC.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC52A.tmpJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE8F4.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE1CC.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE5E5.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1EC.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC932.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC52A.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC52A.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC932.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC932.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE1CC.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC52A.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC52A.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1EC.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIC932.tmp-\System.Management.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE77C.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSI1EC.tmp-\Microsoft.Deployment.WindowsInstaller.dllJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE1CC.tmp-\Newtonsoft.Json.dllJump to dropped file
                              Source: C:\Windows\System32\msiexec.exeDropped PE file which has not been started: C:\Windows\Installer\MSIE1CC.tmpJump to dropped file
                              Source: C:\Windows\SysWOW64\rundll32.exe TID: 7532Thread sleep time: -30000s >= -30000sJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7940Thread sleep time: -60000s >= -30000sJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7896Thread sleep time: -922337203685477s >= -30000sJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8092Thread sleep count: 6434 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8084Thread sleep count: 3126 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7548Thread sleep time: -27670116110564310s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7548Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7536Thread sleep count: 48 > 30
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7536Thread sleep time: -480000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7488Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7516Thread sleep time: -270000s >= -30000s
                              Source: C:\Windows\SysWOW64\rundll32.exe TID: 7652Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7844Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7864Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2096Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2860Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1420Thread sleep time: -30000s >= -30000s
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4828Thread sleep time: -922337203685477s >= -30000s
                              Source: C:\Windows\System32\svchost.exeFile opened: PhysicalDrive0Jump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
                              Source: C:\Windows\SysWOW64\rundll32.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\svchost.exeFile Volume queried: C:\Windows\System32 FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 30000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeThread delayed: delay time: 90000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeThread delayed: delay time: 922337203685477
                              Source: AgentPackageAgentInformation.exe.20.drBinary or memory string: VIRUSfighterAVMware Carbon Black Cloud Sensor7VMware Carbon Black Defense/VMware Carbon Black EDR9VMware Carbon Black Response
                              Source: svchost.exe, 00000005.00000002.2524684736.0000024206A4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                              Source: svchost.exe, 00000005.00000002.2524684736.0000024206A4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: m&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D: @
                              Source: svchost.exe, 00000005.00000002.2524554790.0000024206A2B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                              Source: svchost.exe, 00000005.00000002.2524868931.0000024206A64000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: (@SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000k
                              Source: rundll32.exe, 00000018.00000002.1504791861.0000000000CB8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.
                              Source: svchost.exe, 00000005.00000002.2524684736.0000024206A4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}@
                              Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9639000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000013.00000002.1440692718.00000207E95E4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E832451000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2537602873.000001E831F1C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2538937765.000001E8323A9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                              Source: svchost.exe, 00000005.00000002.2524275259.0000024206A02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
                              Source: AteraAgent.exe, 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                              Source: svchost.exe, 00000005.00000002.2525155471.0000024206B02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                              Source: svchost.exe, 00000005.00000002.2524684736.0000024206A4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
                              Source: rundll32.exe, 0000000B.00000003.1359603187.0000000003527000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1360924672.0000000003528000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1684646622.0000020698E50000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2139861826.0000029FD76C8000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2313248343.00000217F0DB0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                              Source: C:\Windows\System32\msiexec.exeProcess information queried: ProcessInformationJump to behavior
                              Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Windows\System32\sppsvc.exeProcess queried: DebugPortJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeProcess token adjusted: Debug
                              Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: page read and write | page guardJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="Salim.Jami@korektel.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000KANvwIAH" /AgentId="1db40f91-941c-4bcb-961d-1fe2982e82b6"Jump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgentJump to behavior
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                              Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgentJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "ef2508c1-c717-4567-98db-ad739433a027" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "4b724461-d5de-45b3-918d-01f1dd7fb803" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "bba6296f-630c-4728-badb-dcac66c37446" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH
                              Source: C:\Windows\SysWOW64\msiexec.exeProcess created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exeJump to behavior
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="salim.jami@korektel.com" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000kanvwiah" /agentid="1db40f91-941c-4bcb-961d-1fe2982e82b6"
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "ef2508c1-c717-4567-98db-ad739433a027" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kanvwiah
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "4b724461-d5de-45b3-918d-01f1dd7fb803" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kanvwiah
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "bba6296f-630c-4728-badb-dcac66c37446" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kanvwiah
                              Source: C:\Windows\System32\msiexec.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="salim.jami@korektel.com" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000kanvwiah" /agentid="1db40f91-941c-4bcb-961d-1fe2982e82b6"Jump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "ef2508c1-c717-4567-98db-ad739433a027" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kanvwiah
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "4b724461-d5de-45b3-918d-01f1dd7fb803" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kanvwiah
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeProcess created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "bba6296f-630c-4728-badb-dcac66c37446" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000kanvwiah
                              Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                              Source: C:\Windows\System32\svchost.exeQueries volume information: C: VolumeInformationJump to behavior
                              Source: C:\Windows\System32\msiexec.exeQueries volume information: C:\ VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIC52A.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIC52A.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIC932.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIC932.tmp-\Newtonsoft.Json.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIE1CC.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformationJump to behavior
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSIE1CC.tmp-\AlphaControlAgentInstallation.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI1EC.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Installer\MSI1EC.tmp-\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
                              Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                              Lowering of HIPS / PFW / Operating System Security Settings

                              barindex
                              Changes security center settings (notifications, updates, antivirus, firewall)
                              Source: C:\Windows\System32\svchost.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATEJump to behavior
                              Source: svchost.exe, 00000008.00000002.2525383064.0000028969F02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
                              Source: svchost.exe, 00000008.00000002.2525383064.0000028969F02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                              Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob
                              Source: C:\Windows\System32\svchost.exeWMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                              Source: C:\Program Files\Windows Defender\MpCmdRun.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct

                              Remote Access Functionality

                              barindex
                              Yara detected AteraAgent
                              Source: Yara matchFile source: 25.2.AgentPackageAgentInformation.exe.206ff410000.1.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 19.0.AteraAgent.exe.207e7090000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 25.0.AgentPackageAgentInformation.exe.206ff100000.0.unpack, type: UNPACKEDPE
                              Source: Yara matchFile source: 00000014.00000002.2527764895.000001E819F5E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001F.00000002.2310806719.0000021780073000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.1685011781.00000206FF2D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.1685011781.00000206FF290000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000014.00000002.2527764895.000001E81976F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001F.00000002.2312101938.00000217EFE95000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1437456452.000002078017C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000014.00000002.2527764895.000001E819F76000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1439484735.00000207E71B2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2137431429.0000029FBE59D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000014.00000002.2526996281.000001E819027000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000014.00000002.2537602873.000001E831ED0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000014.00000002.2527764895.000001E819FBB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2137431429.0000029FBE63B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001F.00000002.2312101938.00000217EFE18000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1439443971.00000207E7170000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2137431429.0000029FBE5A7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001F.00000002.2312101938.00000217EFE59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000014.00000002.2538937765.000001E832370000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001F.00000002.2312948661.00000217F0000000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001F.00000002.2310806719.00000217800BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000000.1387858238.00000207E7092000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1444334678.00007FFE7D194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000014.00000002.2523269176.0000001AB33B5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001F.00000002.2312101938.00000217EFE10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000014.00000002.2526833344.000001E818F20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000014.00000002.2526714387.000001E818ED0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1440389283.00000207E74D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.1685011781.00000206FF2E1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000014.00000002.2527764895.000001E819F7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.1685011781.00000206FF31C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1437456452.00000207800B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1439484735.00000207E7192000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1437456452.0000020780089000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.1685815626.00000206FF510000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000014.00000002.2538937765.000001E8323A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000014.00000002.2526996281.000001E818FA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2137431429.0000029FBE5E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000014.00000002.2527764895.000001E819DFC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1437456452.0000020780132000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000014.00000002.2526996281.000001E818FDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2138610160.0000029FBEEAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000018.00000002.1506275968.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1441885494.00000207E98D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2138281864.0000029FBE7B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001F.00000002.2312101938.00000217EFE2B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.1684646622.0000020698E50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2138610160.0000029FBEE73000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000014.00000002.2538937765.000001E8323E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.1685670421.00000206FF412000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000014.00000002.2527764895.000001E819962000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000014.00000002.2527764895.000001E819FB3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000B.00000002.1361716036.0000000005031000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001F.00000002.2312101938.00000217EFE4D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2137431429.0000029FBE569000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000014.00000002.2527764895.000001E819E39000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000014.00000002.2527764895.000001E819701000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1437456452.00000207800B2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000014.00000002.2537602873.000001E831FC2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000B.00000002.1361716036.00000000050D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.1683949683.0000020680681000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1439241847.00000207E715C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1442456404.00000207E992C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.1683949683.00000206806F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000014.00000002.2526996281.000001E81905D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2137431429.0000029FBE560000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000014.00000002.2526996281.000001E818FFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2138610160.0000029FBEE63000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000014.00000002.2527764895.000001E819F50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000018.00000002.1506275968.0000000004A61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1439241847.00000207E7150000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000002.1683949683.0000020680703000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001F.00000002.2310806719.0000021780001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001F.00000002.2310806719.0000021780047000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2138610160.0000029FBEE37000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000019.00000000.1642250402.00000206FF102000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001D.00000002.2138610160.0000029FBEDF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1437456452.000002078008C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 0000001F.00000002.2310806719.0000021780083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1439484735.00000207E71E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: 00000013.00000002.1437456452.0000020780001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7420, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7492, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7616, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 7876, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AteraAgent.exe PID: 8040, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: rundll32.exe PID: 7424, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7744, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 2888, type: MEMORYSTR
                              Source: Yara matchFile source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7492, type: MEMORYSTR
                              Source: Yara matchFile source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF104FF017AE6A1734.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF46B34C8187FE8435.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DFD18BD80E6999656A.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Config.Msi\3ac318.rbs, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\System32\InstallUtil.InstallLog, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF9363D06770D8B98C.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DFC8300526DF6F0731.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSIC52A.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Temp\~DF355F8EAD7962411B.TMP, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSIE1CC.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
                              Source: Yara matchFile source: C:\Windows\Installer\MSIE5D4.tmp, type: DROPPED

                              Mitre Att&ck Matrix

                              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                              Gather Victim Identity InformationAcquire Infrastructure1
                              Replication Through Removable Media                              		131
                              Windows Management Instrumentation                              		1
                              DLL Side-Loading                              		1
                              DLL Side-Loading                              		121
                              Disable or Modify Tools                              		OS Credential Dumping11
                              Peripheral Device Discovery                              		Remote Services1
                              Archive Collected Data                              		1
                              Ingress Tool Transfer                              		Exfiltration Over Other Network MediumAbuse Accessibility Features
                              CredentialsDomainsDefault Accounts1
                              Command and Scripting Interpreter                              		21
                              Windows Service                              		21
                              Windows Service                              		21
                              Obfuscated Files or Information                              		LSASS Memory2
                              File and Directory Discovery                              		Remote Desktop ProtocolData from Removable Media11
                              Encrypted Channel                              		Exfiltration Over BluetoothNetwork Denial of Service
                              Email AddressesDNS ServerDomain Accounts11
                              Service Execution                              		Logon Script (Windows)11
                              Process Injection                              		1
                              Timestomp                              		Security Account Manager34
                              System Information Discovery                              		SMB/Windows Admin SharesData from Network Shared Drive2
                              Non-Application Layer Protocol                              		Automated ExfiltrationData Encrypted for Impact
                              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                              DLL Side-Loading                              		NTDS1
                              Query Registry                              		Distributed Component Object ModelInput Capture3
                              Application Layer Protocol                              		Traffic DuplicationData Destruction
                              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                              File Deletion                              		LSA Secrets261
                              Security Software Discovery                              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts122
                              Masquerading                              		Cached Domain Credentials1
                              Process Discovery                              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                              Modify Registry                              		DCSync171
                              Virtualization/Sandbox Evasion                              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job171
                              Virtualization/Sandbox Evasion                              		Proc Filesystem1
                              Application Window Discovery                              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt11
                              Process Injection                              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                              Rundll32                              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                              Behavior Graph

                              Hide Legend

                              Legend:

                              • Process
                              • Signature
                              • Created File
                              • DNS/IP Info
                              • Is Dropped
                              • Is Windows Process
                              • Number of created Registry Values
                              • Number of created Files
                              • Visual Basic
                              • Delphi
                              • Java
                              • .Net C# or VB.NET
                              • C, C++ or other language
                              • Is malicious
                              • Internet
                              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1561808 Sample: Digital.msi Startdate: 24/11/2024 Architecture: WINDOWS Score: 92 101 windowsupdatebg.s.llnwi.net 2->101 103 ps.pndsn.com 2->103 105 6 other IPs or domains 2->105 111 Multi AV Scanner detection for dropped file 2->111 113 Multi AV Scanner detection for submitted file 2->113 115 Yara detected AteraAgent 2->115 117 3 other signatures 2->117 9 msiexec.exe 82 43 2->9         started        12 AteraAgent.exe 2->12         started        16 svchost.exe 2->16         started        18 6 other processes 2->18 signatures3 process4 dnsIp5 85 C:\Windows\Installer\MSIE1CC.tmp, PE32 9->85 dropped 87 C:\Windows\Installer\MSIC932.tmp, PE32 9->87 dropped 89 C:\Windows\Installer\MSIC52A.tmp, PE32 9->89 dropped 99 20 other files (17 malicious) 9->99 dropped 20 msiexec.exe 9->20         started        22 AteraAgent.exe 6 11 9->22         started        26 msiexec.exe 9->26         started        107 d25btwd9wax8gu.cloudfront.net 108.158.75.4, 443, 49778 AMAZON-02US United States 12->107 109 ps.pndsn.com 13.232.67.198, 443, 49751, 49752 AMAZON-02US United States 12->109 91 C:\...91ewtonsoft.Json.dll, PE32 12->91 dropped 93 C:\...\Atera.AgentPackage.Common.dll, PE32 12->93 dropped 95 C:\...\AgentPackageAgentInformation.exe, PE32 12->95 dropped 97 AgentPackageAgentInformation.exe.config, XML 12->97 dropped 129 Creates files in the system32 config directory 12->129 131 Reads the Security eventlog 12->131 133 Reads the System eventlog 12->133 28 AgentPackageAgentInformation.exe 12->28         started        30 sc.exe 12->30         started        32 AgentPackageAgentInformation.exe 12->32         started        34 AgentPackageAgentInformation.exe 12->34         started        135 Changes security center settings (notifications, updates, antivirus, firewall) 16->135 36 MpCmdRun.exe 16->36         started        file6 signatures7 process8 file9 38 rundll32.exe 8 20->38         started        56 3 other processes 20->56 65 C:\Windows\System32\InstallUtil.InstallLog, Unicode 22->65 dropped 67 C:\...\AteraAgent.InstallLog, Unicode 22->67 dropped 119 Creates files in the system32 config directory 22->119 121 Reads the Security eventlog 22->121 123 Reads the System eventlog 22->123 42 net.exe 1 26->42         started        44 taskkill.exe 1 26->44         started        46 conhost.exe 28->46         started        48 conhost.exe 30->48         started        50 conhost.exe 32->50         started        52 conhost.exe 34->52         started        54 conhost.exe 36->54         started        signatures10 process11 file12 69 C:\...\AlphaControlAgentInstallation.dll, PE32 38->69 dropped 71 C:\Windows\...\System.Management.dll, PE32 38->71 dropped 73 C:\Windows\Installer\...73ewtonsoft.Json.dll, PE32 38->73 dropped 75 Microsoft.Deployme...indowsInstaller.dll, PE32 38->75 dropped 125 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 38->125 58 conhost.exe 42->58         started        61 net1.exe 1 42->61         started        63 conhost.exe 44->63         started        77 C:\...\AlphaControlAgentInstallation.dll, PE32 56->77 dropped 79 C:\...\AlphaControlAgentInstallation.dll, PE32 56->79 dropped 81 C:\...\AlphaControlAgentInstallation.dll, PE32 56->81 dropped 83 9 other files (none is malicious) 56->83 dropped signatures13 process14 signatures15 127 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 58->127

                              Screenshots

                              Thumbnails

                              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                              windows-stand

                              Antivirus, Machine Learning and Genetic Malware Detection

                              Initial Sample

                              SourceDetectionScannerLabelLink
                              Digital.msi29%ReversingLabsWin32.Trojan.Atera

                              Dropped Files

                              SourceDetectionScannerLabelLink
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe26%ReversingLabsWin32.Trojan.Atera
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll0%ReversingLabs
                              C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll0%ReversingLabs
                              C:\Windows\Installer\MSI1EC.tmp0%ReversingLabs
                              C:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.dll0%ReversingLabs
                              C:\Windows\Installer\MSI1EC.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                              C:\Windows\Installer\MSI1EC.tmp-\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Windows\Installer\MSI1EC.tmp-\System.Management.dll0%ReversingLabs
                              C:\Windows\Installer\MSIC52A.tmp0%ReversingLabs
                              C:\Windows\Installer\MSIC52A.tmp-\AlphaControlAgentInstallation.dll0%ReversingLabs
                              C:\Windows\Installer\MSIC52A.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                              C:\Windows\Installer\MSIC52A.tmp-\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Windows\Installer\MSIC52A.tmp-\System.Management.dll0%ReversingLabs
                              C:\Windows\Installer\MSIC932.tmp0%ReversingLabs
                              C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.dll0%ReversingLabs
                              C:\Windows\Installer\MSIC932.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                              C:\Windows\Installer\MSIC932.tmp-\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Windows\Installer\MSIC932.tmp-\System.Management.dll0%ReversingLabs
                              C:\Windows\Installer\MSIE1CC.tmp0%ReversingLabs
                              C:\Windows\Installer\MSIE1CC.tmp-\AlphaControlAgentInstallation.dll0%ReversingLabs
                              C:\Windows\Installer\MSIE1CC.tmp-\Microsoft.Deployment.WindowsInstaller.dll0%ReversingLabs
                              C:\Windows\Installer\MSIE1CC.tmp-\Newtonsoft.Json.dll0%ReversingLabs
                              C:\Windows\Installer\MSIE1CC.tmp-\System.Management.dll0%ReversingLabs
                              C:\Windows\Installer\MSIE5E5.tmp0%ReversingLabs
                              C:\Windows\Installer\MSIE77C.tmp0%ReversingLabs
                              C:\Windows\Installer\MSIE8F4.tmp0%ReversingLabs

                              Unpacked PE Files

                              No Antivirus matches

                              Domains

                              No Antivirus matches

                              URLs

                              SourceDetectionScannerLabelLink
                              http://crl3.x0%Avira URL Cloudsafe
                              https://agent-api.PR0%Avira URL Cloudsafe
                              https://agent-api.aterDj0%Avira URL Cloudsafe

                              Domains and IPs

                              Contacted Domains

                              NameIPActiveMaliciousAntivirus DetectionReputation
                              ps.pndsn.com
                              		13.232.67.198
                              		truefalse
                                		high
                                bg.microsoft.map.fastly.net
                                		199.232.214.172
                                		truefalse
                                  		high
                                  d25btwd9wax8gu.cloudfront.net
                                  		108.158.75.4
                                  		truefalse
                                    		unknown
                                    fp2e7a.wpc.phicdn.net
                                    		192.229.221.95
                                    		truefalse
                                      		high
                                      windowsupdatebg.s.llnwi.net
                                      		178.79.238.0
                                      		truefalse
                                        		high
                                        ps.atera.com
                                        		unknown
                                        		unknownfalse
                                          		high
                                          agent-api.atera.com
                                          		unknown
                                          		unknownfalse
                                            		high

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=948125fe-e3cf-42ab-ba34-976a3adf5c80&tr=31&tt=17324434434497982&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6false
                                              		high
                                              https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c825a3a8-4a36-49ab-b7b0-21c3250f6f58&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6false
                                                		high
                                                https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=307e4b22-ae8f-4dc7-a619-34b637c0b56b&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6false
                                                  		high
                                                  https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b56d0227-452e-4f76-a77a-378f095d9d38&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6false
                                                    		high
                                                    https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8bd2666e-deba-4537-9847-826117c775e9&tr=31&tt=17324434870174992&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6false
                                                      		high
                                                      https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2f5b9f56-7551-421b-9316-301f6079e99e&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6false
                                                        		high
                                                        https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0b567b7d-02ab-4d8f-b457-87226ecdada3&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6false
                                                          		high
                                                          https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2babaf61-1d7c-4750-9d20-d0f3040d8dce&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6false
                                                            		high
                                                            https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d2f98d58-ae77-41cb-bf75-a12c39413b70&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6false
                                                              		high
                                                              https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cead9e07-0918-4110-bf73-0cde7886e764&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6false
                                                                		high
                                                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=f0169ba0-1470-42de-a8c0-d3acdded414b&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6false
                                                                  		high
                                                                  https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d7610938-0dca-439e-ac79-774f3c321e97&tr=31&tt=17324433839841529&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6false
                                                                    		high
                                                                    https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=1549cfbe-4797-4e9b-87ba-b39ddfdb0c6e&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6false
                                                                      		high
                                                                      https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0f2fcab0-36f7-497d-80c2-ed154ce143d7&tr=31&tt=17324434434497982&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6false
                                                                        		high
                                                                        https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=81ad481d-fe32-40f1-a575-ff3213b02a54&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6false
                                                                          		high
                                                                          https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=21b3579c-1a7e-42af-89a3-d62561119c3f&tr=31&tt=17324433862201175&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6false
                                                                            		high
                                                                            https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=262560da-847d-4155-9198-8e4ffcd1509c&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6false
                                                                              		high
                                                                              https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a9364c7f-76bc-44d5-9e4a-9e20b519e5f6&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6false
                                                                                		high
                                                                                https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=de127575-77e7-4719-a128-017012d14d11&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6false
                                                                                  		high
                                                                                  https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=86b5c6de-7733-4db5-b81f-7d902ad87fa7&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6false
                                                                                    		high
                                                                                    https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c1164d1e-bc30-4eb8-888a-782a294ae896&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6false
                                                                                      		high
                                                                                      https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=95a8cc07-d7ac-4863-aa59-e133b0947fc6&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6false
                                                                                        		high
                                                                                        https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=6c5142d1-8eb7-4c24-9754-9b429320ed0d&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6false
                                                                                          		high
                                                                                          https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c29a5fd2-a31e-449c-a116-6640bd437f2a&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6false
                                                                                            		high

                                                                                            URLs from Memory and Binaries

                                                                                            NameSourceMaliciousAntivirus DetectionReputation
                                                                                            http://schemas.datacontract.orgAteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              https://dev.ditu.live.com/REST/v1/Routes/svchost.exe, 00000000.00000003.1371948365.000001E3B9467000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375057722.000001E3B9468000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zipAteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://dev.virtualearth.net/REST/v1/Routes/Walkingsvchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=04073794-9b1a-456b-85fe-6eca65797754AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://crl3.xAgentPackageAgentInformation.exe, 00000019.00000002.1684646622.0000020698EC8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://agent-api.atera.com/Production/Agent/track-eventrundll32.exe, 0000000B.00000002.1361716036.0000000005031000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.00000000050D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004A61000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004B07000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9912033a-6573-4ca2-b350-37c2bc6e22e9AteraAgent.exe, 00000014.00000002.2527764895.000001E819962000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          http://dl.google.com/googletalk/googletalk-setup.exeAteraAgent.exe, 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000000.1642250402.00000206FF102000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.20.drfalse
                                                                                                            		high
                                                                                                            https://agent-api.PRAteraAgent.exe, 00000014.00000002.2527764895.000001E819E96000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                            • Avira URL Cloud: safe
                                                                                                            		unknown
                                                                                                            https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b56d0227-452e-4f76-a77a-378f095d9d38AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                              		high
                                                                                                              https://ps.atera.com/agentpackageswin/AgentPackageAgentIAteraAgent.exe, 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://dev.ditu.live.com/REST/v1/Imagery/Copyright/svchost.exe, 00000000.00000003.1371490489.000001E3B946E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375108049.000001E3B9470000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372392939.000001E3B945A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1374973934.000001E3B9463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372007687.000001E3B9462000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372112615.000001E3B945F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                  		high
                                                                                                                  https://agent-api.atera.com/Production/Agent/rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.0000000005031000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.00000000050D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004A61000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.11.dr, AlphaControlAgentInstallation.dll.10.dr, AlphaControlAgentInstallation.dll.12.dr, AlphaControlAgentInstallation.dll.24.drfalse
                                                                                                                    		high
                                                                                                                    https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2babaf61-1d7c-4750-9d20-d0f3040d8dceAteraAgent.exe, 00000014.00000002.2527764895.000001E81978C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://schemas.datacontract.org/2004/07/System.ServiceProcessAteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        https://agent-api.atera.com/Production/Agent/GetCommandsFallback)AteraAgent.exe, 00000014.00000002.2527764895.000001E819F7C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          https://dev.virtualearth.net/REST/v1/Transit/Schedules/svchost.exe, 00000000.00000002.1374663965.000001E3B9442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372481147.000001E3B9441000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://wixtoolset.orgrundll32.exe, 0000000A.00000003.1297790604.0000000004845000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E6F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048E5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.00000000048C6000.00000004.00000020.00020000.00000000.sdmp, Digital.msi, 3ac317.msi.7.dr, 3ac319.msi.7.dr, Microsoft.Deployment.WindowsInstaller.dll.12.dr, MSIE5E5.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, MSIE77C.tmp.7.dr, Microsoft.Deployment.WindowsInstaller.dll.24.dr, MSIE8F4.tmp.7.dr, MSIE5D4.tmp.7.drfalse
                                                                                                                              		high
                                                                                                                              https://agent-api.atera.com/ProductionAgentPackageAgentInformation.exe, 00000019.00000002.1683949683.0000020680703000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2138610160.0000029FBEEAF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2310806719.00000217800BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=1549cfbe-4797-4e9b-87ba-b39ddfdb0c6eAteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://agent-api.atera.com/Production/Agent/GetCommandsFallback0AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstallerAteraAgent.exe, 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://acontrol.atera.com/AteraAgent.exe, 00000013.00000000.1387858238.00000207E7092000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819701000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe.7.drfalse
                                                                                                                                        		high
                                                                                                                                        https://ps.atera.com/agentpackagesmac/AgentAteraAgent.exe, 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          https://agent-api.atera.com/Production/Agent/AgentStarting)AteraAgent.exe, 00000014.00000002.2527764895.000001E819F7C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            https://ps.pndsn.comAteraAgent.exe, 00000014.00000002.2527764895.000001E81978C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819AED000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819E39000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819D56000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819FBD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819E06000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zipAteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9debe3d6-bd60-48d8-8f32-cac259735cf3AteraAgent.exe, 00000014.00000002.2527764895.000001E819E06000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerundll32.exe, 0000000B.00000002.1361716036.0000000005031000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.00000000050D4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819701000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004A61000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1683949683.0000020680703000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2138610160.0000029FBEEAF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2310806719.00000217800BF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    https://agent-api.aterDjrundll32.exe, 00000018.00000002.1506275968.0000000004B07000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                    		unknown
                                                                                                                                                    http://www.bingmapsportal.comsvchost.exe, 00000000.00000002.1374419257.000001E3B9413000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://dev.virtualearth.net/REST/v1/Imagery/Copyright/svchost.exe, 00000000.00000002.1374477527.000001E3B942B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372392939.000001E3B945A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1374973934.000001E3B9463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372007687.000001E3B9462000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                        		high
                                                                                                                                                        https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscoveAteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://agent-api.atera.comrundll32.exe, 0000000B.00000002.1361716036.00000000050F5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F76000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819E96000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F64000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004B25000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1683949683.00000206807AF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2138610160.0000029FBEF1F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2310806719.000002178012F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.8/AgentPackageSystemTools.zipAteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                              		high
                                                                                                                                                              https://agent-api.atera.com/Production/Agent/GetRecurrinAteraAgent.exe, 00000014.00000002.2527764895.000001E819F5E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                		high
                                                                                                                                                                https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=svchost.exe, 00000000.00000003.1372202185.000001E3B945D000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high
                                                                                                                                                                  http://schemas.datacontract.org/2004/07/AteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                    		high
                                                                                                                                                                    https://github.com/icsharpcode/SharpZipLibAteraAgent.exe, 00000014.00000002.2540771863.000001E8327D2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.7.drfalse
                                                                                                                                                                      		high
                                                                                                                                                                      https://ps.atera.com/agentpackageswin/AgentPackageNetworkDiscovery/15.0/AgentPackageNetworkDiscoveryAteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                        		high
                                                                                                                                                                        https://dev.virtualearth.net/REST/v1/Routes/svchost.exe, 00000000.00000002.1374477527.000001E3B942B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1371948365.000001E3B9467000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375057722.000001E3B9468000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                          		high
                                                                                                                                                                          https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAgentIAteraAgent.exe, 00000014.00000002.2527764895.000001E81989A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198C6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197DF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                            		high
                                                                                                                                                                            https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zipAteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                              		high
                                                                                                                                                                              http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/vrundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.12.dr, Microsoft.Deployment.WindowsInstaller.dll.11.dr, Microsoft.Deployment.WindowsInstaller.dll.10.dr, Microsoft.Deployment.WindowsInstaller.dll.24.drfalse
                                                                                                                                                                                		high
                                                                                                                                                                                https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=svchost.exe, 00000000.00000002.1374663965.000001E3B9442000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372481147.000001E3B9441000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                  		high
                                                                                                                                                                                  https://agent-api.atera.com/Production/Agent/AcknowlAteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                    		high
                                                                                                                                                                                    https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=svchost.exe, 00000000.00000003.1270871997.000001E3B9436000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                      		high
                                                                                                                                                                                      https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/svchost.exe, 00000000.00000003.1270871997.000001E3B9436000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                        		high
                                                                                                                                                                                        https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zipAteraAgent.exe, 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                          		high
                                                                                                                                                                                          https://dev.virtualearth.net/REST/v1/Locationssvchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                            		high
                                                                                                                                                                                            https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/30.1/AgentPackageTicketing.zipAteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                              		high
                                                                                                                                                                                              https://agent-api.atera.comrundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.0000000005031000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.00000000050D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F5E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819701000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819DF6000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819F64000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819E02000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004A61000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000019.00000002.1683949683.0000020680703000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001D.00000002.2138610160.0000029FBEEAF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001F.00000002.2310806719.00000217800BF000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.11.dr, AlphaControlAgentInstallation.dll.10.dr, AlphaControlAgentInstallation.dll.12.dr, AlphaControlAgentInstallation.dll.24.drfalse
                                                                                                                                                                                                		high
                                                                                                                                                                                                https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/svchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                  		high
                                                                                                                                                                                                  https://ps.pndsn.com/v22AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                    		high
                                                                                                                                                                                                    https://agent-api.atera.com/Production/Agent/AgentStartingAteraAgent.exe, 00000014.00000002.2527764895.000001E819F5E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819DF6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                      		high
                                                                                                                                                                                                      https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageA3RuZAteraAgent.exe, 00000014.00000002.2527764895.000001E819962000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                        		high
                                                                                                                                                                                                        http://www.w3.ohAteraAgent.exe, 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                          		high
                                                                                                                                                                                                          https://agent-api.atera.com/Production/Agent/GetCommandsAteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819AED000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819962000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                            		high
                                                                                                                                                                                                            https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageA3AteraAgent.exe, 00000014.00000002.2527764895.000001E819962000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                              		high
                                                                                                                                                                                                              https://dynamic.tsvchost.exe, 00000000.00000003.1372112615.000001E3B945F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                		high
                                                                                                                                                                                                                https://agent-api.atera.com/rundll32.exe, 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.0000000005031000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1361716036.00000000050D4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004A61000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000002.1506275968.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.11.dr, AlphaControlAgentInstallation.dll.10.dr, AlphaControlAgentInstallation.dll.12.dr, AlphaControlAgentInstallation.dll.24.drfalse
                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                  https://dev.virtualearth.net/REST/v1/Routes/Transitsvchost.exe, 00000000.00000002.1374743057.000001E3B9458000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372525604.000001E3B9457000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                    https://agent-api.atera.com/Production/Agent/GetRecurringPackagesAteraAgent.exe, 00000014.00000002.2527764895.000001E819E02000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                      https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zipAteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                        https://www.newtonsoft.com/jsonschemaNewtonsoft.Json.dll.24.drfalse
                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                          https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=6c5142d1-8eb7-4c24-9754-9b429320ed0dAteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                            https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cead9e07-0918-4110-bf73-0cde7886e764AteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                              		high
                                                                                                                                                                                                                              https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=86b5c6de-7733-4db5-b81f-7d902ad87fa7AteraAgent.exe, 00000014.00000002.2527764895.000001E819962000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                		high
                                                                                                                                                                                                                                https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=svchost.exe, 00000000.00000002.1374973934.000001E3B9463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372007687.000001E3B9462000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                  		high
                                                                                                                                                                                                                                  https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.AteraAgent.exe, 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8198CA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819786000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E8197C7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                    		high
                                                                                                                                                                                                                                    https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zipAteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                      		high
                                                                                                                                                                                                                                      https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/svchost.exe, 00000000.00000003.1371490489.000001E3B946E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1375108049.000001E3B9470000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                        		high
                                                                                                                                                                                                                                        https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=svchost.exe, 00000000.00000002.1374419257.000001E3B9413000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1374973934.000001E3B9463000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1372007687.000001E3B9462000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                          		high
                                                                                                                                                                                                                                          https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.zAteraAgent.exe, 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.2527764895.000001E819767000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                            		high
                                                                                                                                                                                                                                            https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/chAteraAgent.exe, 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                                                                                              		high

                                                                                                                                                                                                                                              World Map of Contacted IPs

                                                                                                                                                                                                                                              • No. of IPs < 25%
                                                                                                                                                                                                                                              • 25% < No. of IPs < 50%
                                                                                                                                                                                                                                              • 50% < No. of IPs < 75%
                                                                                                                                                                                                                                              • 75% < No. of IPs

                                                                                                                                                                                                                                              Public IPs

                                                                                                                                                                                                                                              IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                                                                                                              108.158.75.4
                                                                                                                                                                                                                                              		d25btwd9wax8gu.cloudfront.netUnited States
                                                                                                                                                                                                                                              		16509AMAZON-02USfalse
                                                                                                                                                                                                                                              13.232.67.198
                                                                                                                                                                                                                                              		ps.pndsn.comUnited States
                                                                                                                                                                                                                                              		16509AMAZON-02USfalse

                                                                                                                                                                                                                                              General Information

                                                                                                                                                                                                                                              Joe Sandbox version:41.0.0 Charoite
                                                                                                                                                                                                                                              Analysis ID:1561808
                                                                                                                                                                                                                                              Start date and time:2024-11-24 11:15:08 +01:00
                                                                                                                                                                                                                                              Joe Sandbox product:CloudBasic
                                                                                                                                                                                                                                              Overall analysis duration:0h 9m 51s
                                                                                                                                                                                                                                              Hypervisor based Inspection enabled:false
                                                                                                                                                                                                                                              Report type:full
                                                                                                                                                                                                                                              Cookbook file name:default.jbs
                                                                                                                                                                                                                                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                                                                                                                                              Number of analysed new started processes analysed:34
                                                                                                                                                                                                                                              Number of new started drivers analysed:0
                                                                                                                                                                                                                                              Number of existing processes analysed:0
                                                                                                                                                                                                                                              Number of existing drivers analysed:0
                                                                                                                                                                                                                                              Number of injected processes analysed:0
                                                                                                                                                                                                                                              Technologies:
                                                                                                                                                                                                                                              • HCA enabled
                                                                                                                                                                                                                                              • EGA enabled
                                                                                                                                                                                                                                              • AMSI enabled
                                                                                                                                                                                                                                              Analysis Mode:default
                                                                                                                                                                                                                                              Analysis stop reason:Timeout
                                                                                                                                                                                                                                              Sample name:Digital.msi
                                                                                                                                                                                                                                              Detection:MAL
                                                                                                                                                                                                                                              Classification:mal92.troj.spyw.evad.winMSI@46/83@12/2
                                                                                                                                                                                                                                              EGA Information:Failed
                                                                                                                                                                                                                                              HCA Information:Failed
                                                                                                                                                                                                                                              Cookbook Comments:
                                                                                                                                                                                                                                              • Found application associated with file extension: .msi

                                                                                                                                                                                                                                              Warnings

                                                                                                                                                                                                                                              • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                                                                                                                                                                                                              • Excluded IPs from analysis (whitelisted): 40.119.152.241, 199.232.214.172, 192.229.221.95
                                                                                                                                                                                                                                              • Excluded domains from analysis (whitelisted): crl.edge.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, cacerts.digicert.com, agentsapi.trafficmanager.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, atera-agent-api-eu.westeurope.cloudapp.azure.com, ocsp.edge.digicert.com, crl3.digicert.com, crl4.digicert.com, wu-b-net.trafficmanager.net
                                                                                                                                                                                                                                              • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 2888 because it is empty
                                                                                                                                                                                                                                              • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 7492 because it is empty
                                                                                                                                                                                                                                              • Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 7744 because it is empty
                                                                                                                                                                                                                                              • Execution Graph export aborted for target AteraAgent.exe, PID 7876 because it is empty
                                                                                                                                                                                                                                              • Execution Graph export aborted for target AteraAgent.exe, PID 8040 because it is empty
                                                                                                                                                                                                                                              • Execution Graph export aborted for target rundll32.exe, PID 7420 because it is empty
                                                                                                                                                                                                                                              • Execution Graph export aborted for target rundll32.exe, PID 7424 because it is empty
                                                                                                                                                                                                                                              • Execution Graph export aborted for target rundll32.exe, PID 7492 because it is empty
                                                                                                                                                                                                                                              • Execution Graph export aborted for target rundll32.exe, PID 7616 because it is empty
                                                                                                                                                                                                                                              • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                                                                                              • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                                                                                              • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                                                                                                                                                                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                                                                                                              • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                                                                                                              • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                                                                                                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                                                                                              • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                                                                                                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                                                                                                                                                              • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                                                                                                              • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                                                                                                                                              • VT rate limit hit for: Digital.msi

                                                                                                                                                                                                                                              Simulations

                                                                                                                                                                                                                                              Behavior and APIs

                                                                                                                                                                                                                                              TimeTypeDescription
                                                                                                                                                                                                                                              05:16:09API Interceptor2x Sleep call for process: rundll32.exe modified
                                                                                                                                                                                                                                              05:16:14API Interceptor2042953x Sleep call for process: AteraAgent.exe modified
                                                                                                                                                                                                                                              05:16:41API Interceptor3x Sleep call for process: AgentPackageAgentInformation.exe modified
                                                                                                                                                                                                                                              05:17:02API Interceptor1x Sleep call for process: MpCmdRun.exe modified

                                                                                                                                                                                                                                              Joe Sandbox View / Context

                                                                                                                                                                                                                                              IPs

                                                                                                                                                                                                                                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                              108.158.75.4setup (1).msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                https://app.typeset.com/play/G4WZ1Get hashmaliciousHTMLPhisherBrowse
                                                                                                                                                                                                                                                  https://app.scalenut.com/creator/991c897c-dcc2-43e6-ba55-339c0f6812c2/kj8jd9r9doGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                    https://vendor.ziphq.com/magic-link/b47e3e5c-c77a-4377-b922-4ceee97070f7Get hashmaliciousUnknownBrowse

                                                                                                                                                                                                                                                      Domains

                                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                      ps.pndsn.comBOMB-762.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      • 35.157.63.227
                                                                                                                                                                                                                                                      9rSeCZbjZE.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      • 35.157.63.229
                                                                                                                                                                                                                                                      Guidelines_for_Citizen_Safety.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      • 35.157.63.229
                                                                                                                                                                                                                                                      Lisect_AVT_24003_G1B_84.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      • 35.157.63.227
                                                                                                                                                                                                                                                      forumapp.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      • 35.157.63.228
                                                                                                                                                                                                                                                      VANTAGENS_BBCLIENTES00001S4D444400000S.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      • 35.157.63.227
                                                                                                                                                                                                                                                      2cFFfHDG7D.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      • 35.157.63.229
                                                                                                                                                                                                                                                      2503.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      • 54.175.191.204
                                                                                                                                                                                                                                                      Salary.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      • 54.175.191.203
                                                                                                                                                                                                                                                      https://kinneretacil.egnyte.com/fl/gRykrFURtEGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      • 54.175.191.203
                                                                                                                                                                                                                                                      d25btwd9wax8gu.cloudfront.netBOMB-762.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      • 18.245.46.47
                                                                                                                                                                                                                                                      9rSeCZbjZE.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      • 13.35.58.104
                                                                                                                                                                                                                                                      Guidelines_for_Citizen_Safety.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      • 99.86.114.21
                                                                                                                                                                                                                                                      Lisect_AVT_24003_G1B_84.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      • 18.66.112.74
                                                                                                                                                                                                                                                      forumapp.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      • 18.66.112.49
                                                                                                                                                                                                                                                      VANTAGENS_BBCLIENTES00001S4D444400000S.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      • 143.204.68.99
                                                                                                                                                                                                                                                      2cFFfHDG7D.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      • 3.165.136.99
                                                                                                                                                                                                                                                      2503.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      • 99.84.160.56
                                                                                                                                                                                                                                                      Salary.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      • 108.139.47.50
                                                                                                                                                                                                                                                      https://kinneretacil.egnyte.com/fl/gRykrFURtEGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                      • 108.139.47.50
                                                                                                                                                                                                                                                      bg.microsoft.map.fastly.netzapret.exeGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                      • 199.232.214.172
                                                                                                                                                                                                                                                      canva.batGet hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                      • 199.232.210.172
                                                                                                                                                                                                                                                      file.exeGet hashmaliciousJasonRATBrowse
                                                                                                                                                                                                                                                      • 199.232.210.172
                                                                                                                                                                                                                                                      4yOuoT4GFy.exeGet hashmaliciousAsyncRATBrowse
                                                                                                                                                                                                                                                      • 199.232.214.172
                                                                                                                                                                                                                                                      6xQ8CMUaES.exeGet hashmaliciousXmrigBrowse
                                                                                                                                                                                                                                                      • 199.232.210.172
                                                                                                                                                                                                                                                      1732382826559c62d8b84c02e95636f46212b9f803082b7868187644fff4926ca8a53349c1874.dat-decoded.exeGet hashmaliciousLummaCBrowse
                                                                                                                                                                                                                                                      • 199.232.214.172
                                                                                                                                                                                                                                                      17323828261cfef277a3375a886445bf7f5a834ebb1cc85e533e9ac93595cd0e56ebd12426132.dat-decoded.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                                      • 199.232.214.172
                                                                                                                                                                                                                                                      file.exeGet hashmaliciousClipboard Hijacker, CryptbotBrowse
                                                                                                                                                                                                                                                      • 199.232.210.172
                                                                                                                                                                                                                                                      download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                      • 199.232.210.172
                                                                                                                                                                                                                                                      download.ps1Get hashmaliciousUnknownBrowse
                                                                                                                                                                                                                                                      • 146.75.30.172

                                                                                                                                                                                                                                                      ASNs

                                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                      AMAZON-02USzgp.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                      • 13.245.101.151
                                                                                                                                                                                                                                                      santi.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                      • 13.248.169.48
                                                                                                                                                                                                                                                      PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                      • 13.248.169.48
                                                                                                                                                                                                                                                      CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                      • 13.248.221.243
                                                                                                                                                                                                                                                      VSP469620.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                      • 13.248.169.48
                                                                                                                                                                                                                                                      CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                      • 76.223.74.74
                                                                                                                                                                                                                                                      arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                      • 3.122.148.244
                                                                                                                                                                                                                                                      arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                      • 13.223.155.145
                                                                                                                                                                                                                                                      sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                      • 18.243.54.8
                                                                                                                                                                                                                                                      arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                      • 15.206.178.249
                                                                                                                                                                                                                                                      AMAZON-02USzgp.elfGet hashmaliciousMiraiBrowse
                                                                                                                                                                                                                                                      • 13.245.101.151
                                                                                                                                                                                                                                                      santi.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                      • 13.248.169.48
                                                                                                                                                                                                                                                      PAYROLL LIST.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                      • 13.248.169.48
                                                                                                                                                                                                                                                      CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                      • 13.248.221.243
                                                                                                                                                                                                                                                      VSP469620.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                      • 13.248.169.48
                                                                                                                                                                                                                                                      CV Lic H&S Olivetti Renzo.exeGet hashmaliciousFormBookBrowse
                                                                                                                                                                                                                                                      • 76.223.74.74
                                                                                                                                                                                                                                                      arm7.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                      • 3.122.148.244
                                                                                                                                                                                                                                                      arm5.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                      • 13.223.155.145
                                                                                                                                                                                                                                                      sparc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                      • 18.243.54.8
                                                                                                                                                                                                                                                      arm.nn.elfGet hashmaliciousMirai, OkiruBrowse
                                                                                                                                                                                                                                                      • 15.206.178.249

                                                                                                                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                      3b5074b1b5d032e5620f69f9f700ff0efile.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                                                                      • 13.232.67.198
                                                                                                                                                                                                                                                      • 108.158.75.4
                                                                                                                                                                                                                                                      CargoInvoice_Outstanding_56789_2024-11-21.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                                                                                                                                                                      • 13.232.67.198
                                                                                                                                                                                                                                                      • 108.158.75.4
                                                                                                                                                                                                                                                      ZEcVl5jzXD.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                                                                                                                                                                      • 13.232.67.198
                                                                                                                                                                                                                                                      • 108.158.75.4
                                                                                                                                                                                                                                                      file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                                                                                                      • 13.232.67.198
                                                                                                                                                                                                                                                      • 108.158.75.4
                                                                                                                                                                                                                                                      file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                                                                                                                                                                                                                                      • 13.232.67.198
                                                                                                                                                                                                                                                      • 108.158.75.4
                                                                                                                                                                                                                                                      ZOL2mIYAUH.exeGet hashmaliciousPhemedrone Stealer, PureLog Stealer, XWorm, zgRATBrowse
                                                                                                                                                                                                                                                      • 13.232.67.198
                                                                                                                                                                                                                                                      • 108.158.75.4
                                                                                                                                                                                                                                                      owuP726k3d.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                                                                                                                                                                      • 13.232.67.198
                                                                                                                                                                                                                                                      • 108.158.75.4
                                                                                                                                                                                                                                                      WV7Gj9lJ7W.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                                      • 13.232.67.198
                                                                                                                                                                                                                                                      • 108.158.75.4
                                                                                                                                                                                                                                                      18sFhgSyVK.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                                      • 13.232.67.198
                                                                                                                                                                                                                                                      • 108.158.75.4
                                                                                                                                                                                                                                                      kwlYObMOSn.exeGet hashmaliciousXWormBrowse
                                                                                                                                                                                                                                                      • 13.232.67.198
                                                                                                                                                                                                                                                      • 108.158.75.4

                                                                                                                                                                                                                                                      Dropped Files

                                                                                                                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                                                                                                                                                      C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exesetup (1).msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                        BOMB-762.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                          LaudoBombeirosPDF.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                            1nzNNooNMS.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                              Le55bnMCON.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                z8yxMFhhZI.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                  kTbv9ZA2x0.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                    IwmwOaVHnd.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                      gaYiWz75kv.msiGet hashmaliciousAteraAgentBrowse
                                                                                                                                                                                                                                                                        e8gTT6OTKZ.msiGet hashmaliciousAteraAgentBrowse

                                                                                                                                                                                                                                                                          Created / dropped Files

                                                                                                                                                                                                                                                                          C:\Config.Msi\3ac318.rbs

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):8807
                                                                                                                                                                                                                                                                          Entropy (8bit):5.65449041261577
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:192:Tjfxz1ccbTOOeMeKZ61N7r6IHfN7r6kAVv70HVotBVeZEmzmYpLAV77RkpY91r:TDD2J9p9tiB2i3
                                                                                                                                                                                                                                                                          MD5:7A8BD1262C82EE43F576D9389F4DAE6D
                                                                                                                                                                                                                                                                          SHA1:20FDD1EC46100B25501DC1E6AA5B29ED628AC40D
                                                                                                                                                                                                                                                                          SHA-256:FA8903DED06E59960620E888830A87ED1E6F998729D48C160FBD31812252FCDA
                                                                                                                                                                                                                                                                          SHA-512:73DC3C5267F0098D2D568AB6AB5D5E9A1E38827F49A10C8295DB15840AE96FF84FCA2F95602988D2FC5C21851329DC3ABBC58EDEE3FEBB52EC22C87268EC2021
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Config.Msi\3ac318.rbs, Author: Joe Security
                                                                                                                                                                                                                                                                          Preview:...@IXOS.@.....@.*xY.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..Digital.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]....StopAteraServiceQuiet....KillAteraTaskQuiet....ProcessComponents..Updating component registration..&.{F7DFE9BA-9FAD-11DA-9578-00E08161165F}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{C8C868DC-3A5E-4180-A7BB-03D6282966CB}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{0EC8B23C-C723-41E1-9105-4B9C2CDAD47A}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F1B1B9D1-F1B0-420C-9D93-F04E9BD4795D}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{5F95F700-DCA4-4880-B2D2-891AE0D6E1A3}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{F62C52BA-15C7-4C3D-AAB2-DE65004F9665}&.{E732A0D7-A2F2-4657-AC41-B19742648E45}.@......&.{38F01010-E311-4

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):753
                                                                                                                                                                                                                                                                          Entropy (8bit):4.853078320826549
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12:qLLYem7haYNem7hcomf3em7hUQLtygXnC9xkKxeCsx/Yem7haYNem7hcomf3em7B:qLUVhzVhM3VhdLtXXIxkKxeCsOVhzVhY
                                                                                                                                                                                                                                                                          MD5:8298451E4DEE214334DD2E22B8996BDC
                                                                                                                                                                                                                                                                          SHA1:BC429029CC6B42C59C417773EA5DF8AE54DBB971
                                                                                                                                                                                                                                                                          SHA-256:6FBF5845A6738E2DC2AA67DD5F78DA2C8F8CB41D866BBBA10E5336787C731B25
                                                                                                                                                                                                                                                                          SHA-512:CDA4FFD7D6C6DFF90521C6A67A3DBA27BF172CC87CEE2986AE46DCCD02F771D7E784DCAD8AEA0AD10DECF46A1C8AE1041C184206EC2796E54756E49B9217D7BA
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                                                          Preview:.Installing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..Installing service AteraAgent.....Service AteraAgent has been successfully installed...Creating EventLog source AteraAgent in log Application.....Committing assembly 'C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe'...Affected parameters are:.. logtoconsole = .. assemblypath = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.. logfile = C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog..

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with very long lines (7463), with no line terminators
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):7466
                                                                                                                                                                                                                                                                          Entropy (8bit):5.1606801095705865
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:96:R3DrP/zatgCnNjn1x62muDr9aHmzcv/65m7JDcm0BefnanGEkn56vT4ZvR++JDr+:NexdYX7OSRjXsaA0Ndhi
                                                                                                                                                                                                                                                                          MD5:362CE475F5D1E84641BAD999C16727A0
                                                                                                                                                                                                                                                                          SHA1:6B613C73ACB58D259C6379BD820CCA6F785CC812
                                                                                                                                                                                                                                                                          SHA-256:1F78F1056761C6EBD8965ED2C06295BAFA704B253AFF56C492B93151AB642899
                                                                                                                                                                                                                                                                          SHA-512:7630E1629CF4ABECD9D3DDEA58227B232D5C775CB480967762A6A6466BE872E1D57123B08A6179FE1CFBC09403117D0F81BC13724F259A1D25C1325F1EAC645B
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:.<?xml version="1.0" encoding="utf-8"?><ArrayOfKeyValueOfanyTypeanyType xmlns:i="http://www.w3.org/2001/XMLSchema-instance" xmlns:x="http://www.w3.org/2001/XMLSchema" z:Id="1" z:Type="System.Collections.Hashtable" z:Assembly="0" xmlns:z="http://schemas.microsoft.com/2003/10/Serialization/" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays"><LoadFactor z:Id="2" z:Type="System.Single" z:Assembly="0" xmlns="">0.72</LoadFactor><Version z:Id="3" z:Type="System.Int32" z:Assembly="0" xmlns="">2</Version><Comparer i:nil="true" xmlns="" /><HashCodeProvider i:nil="true" xmlns="" /><HashSize z:Id="4" z:Type="System.Int32" z:Assembly="0" xmlns="">3</HashSize><Keys z:Id="5" z:Type="System.Object[]" z:Assembly="0" z:Size="2" xmlns=""><anyType z:Id="6" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/2003/10/Serialization/Arrays">_reserved_nestedSavedStates</anyType><anyType z:Id="7" z:Type="System.String" z:Assembly="0" xmlns="http://schemas.microsoft.com/20

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):145968
                                                                                                                                                                                                                                                                          Entropy (8bit):5.874150428357998
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
                                                                                                                                                                                                                                                                          MD5:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                                                          SHA1:E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
                                                                                                                                                                                                                                                                          SHA-256:A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
                                                                                                                                                                                                                                                                          SHA-512:23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 26%
                                                                                                                                                                                                                                                                          Joe Sandbox View:
                                                                                                                                                                                                                                                                          • Filename: setup (1).msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                          • Filename: BOMB-762.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                          • Filename: LaudoBombeirosPDF.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                          • Filename: 1nzNNooNMS.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                          • Filename: Le55bnMCON.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                          • Filename: z8yxMFhhZI.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                          • Filename: kTbv9ZA2x0.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                          • Filename: IwmwOaVHnd.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                          • Filename: gaYiWz75kv.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                          • Filename: e8gTT6OTKZ.msi, Detection: malicious, Browse
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{....*.0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+..*...0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+..*..0..6........~....%-.&~..........s....%.....s ......o!.....o"....*...0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):1442
                                                                                                                                                                                                                                                                          Entropy (8bit):5.076953226383825
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:24:JdfrdB2nk3Jc3J4YH33Jy34OqsJ+J4YHKJy34OOAPF7NhOXrRH2/d9r:3frf2nKS4YHJyILsJ+J4YHKJyIv47O7w
                                                                                                                                                                                                                                                                          MD5:B3BB71F9BB4DE4236C26578A8FAE2DCD
                                                                                                                                                                                                                                                                          SHA1:1AD6A034CCFDCE5E3A3CED93068AA216BD0C6E0E
                                                                                                                                                                                                                                                                          SHA-256:E505B08308622AD12D98E1C7A07E5DC619A2A00BCD4A5CBE04FE8B078BCF94A2
                                                                                                                                                                                                                                                                          SHA-512:FB6A46708D048A8F964839A514315B9C76659C8E1AB2CD8C5C5D8F312AA4FB628AB3CE5D23A793C41C13A2AA6A95106A47964DAD72A5ECB8D035106FC5B7BA71
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>.. .. <supportedRuntime version="v4.0" sku=".NETFramework,Version=v4.5" /></startup>.... <appSettings>.. .. .. .. <add key="ClientSettingsProvider.ServiceUri" value="" />.. </appSettings>.. .. .. <system.web>.. <membership defaultProvider="ClientAuthenticationMembershipProvider">.. <providers>.. <add name="ClientAuthenticationMembershipProvider" type="System.Web.ClientServices.Providers.ClientFormsAuthenticationMembershipProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" />.. </providers>.. </membership>.. <roleManager defaultProvider="ClientRoleProvider" enabled="true">.. <providers>.. <add name="ClientRoleProvider" type="System.Web.ClientServices.Providers.ClientRoleProvider, System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" serviceUri="" cacheTimeout="86

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):3318832
                                                                                                                                                                                                                                                                          Entropy (8bit):6.534876879948643
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:49152:yIBbo0WIgmjljFtXCdRLRBcJd+KaGxHIkMNqzP56O8lZ7qXUqi9p:DBbBWIgWljGxRB/LLp
                                                                                                                                                                                                                                                                          MD5:11CC798BAFA45BE12D27C68D6B59BA27
                                                                                                                                                                                                                                                                          SHA1:4D1CA0C0F1BC3691F5F852CC8D3ED88605B70434
                                                                                                                                                                                                                                                                          SHA-256:443A1C088E62810A954FFE9F0136F7A8D5E44928425D23B5284D936270D9837A
                                                                                                                                                                                                                                                                          SHA-512:FA0AEAF5309FD1593DB8AF774F18AA9CDA9B7ABD3F32D34CFD1B615EE68CECA0155DFB0AB7351E182B1B9D872BF41B19E66D2B597D2BA6300AF332A0F525C75A
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R............" ..0..r2..........&1.. ....2...... ........................2.....i.3...@.................................G&1.O.....2..............|2.0(....2.....X.(.p............................................ ............... ..H............text....p2.. ...r2................. ..`.rsrc.........2......t2.............@..@.reloc........2......z2.............@..B................{&1.....H...........$....................(.....................................V!........s.........*.~....-*(....o....o....o.........~....-.~.........~....*..( ...*...0..G.......(!....o"....s.1....s*,..%..(.... ....o.....o 0...Zo....t....o8(..(....*..0..$..........(.....(....o.....(!.......io#...*z...(....(!....o"...o....(....*..0............T....r...p.(O....o$....(....*..0..I.......sG...sB)..s.(..s.(...(....s6(....,..o%....2...(....sV(....+.....%..ox...*..( ...*V.(&.....}......}..

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):215088
                                                                                                                                                                                                                                                                          Entropy (8bit):6.030864151731967
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:6144:r1uYsjrFIzmuxpOI/1MvCdRbpSISC8j7s/k:mIzm6pOIgvr7ok
                                                                                                                                                                                                                                                                          MD5:C106DF1B5B43AF3B937ACE19D92B42F3
                                                                                                                                                                                                                                                                          SHA1:7670FC4B6369E3FB705200050618ACAA5213637F
                                                                                                                                                                                                                                                                          SHA-256:2B5B7A2AFBC88A4F674E1D7836119B57E65FAE6863F4BE6832C38E08341F2D68
                                                                                                                                                                                                                                                                          SHA-512:616E45E1F15486787418A2B2B8ECA50CACAC6145D353FF66BF2C13839CD3DB6592953BF6FEED1469DB7DDF2F223416D5651CD013FB32F64DC6C72561AB2449AE
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....*............" ..0..............'... ...@....... ....................................`..................................'..O....@..t............ ..0(...`.......&..T............................................ ............... ..H............text........ ...................... ..`.rsrc...t....@......................@..@.reloc.......`......................@..B.................'......H........... ...................$&........................................( ...*"..(!...*&...("...*&...(#...*2.r...p(....*"..(....*&...(....*&...(....*2.rE..p(....*"..(....*&...(....*&...(....*2.r...p(....*"..(....*&...(....*&...(....*J..r...p($...(....*v....(%.....(%.....(%...(....*....L...%...%.r...p.%...%.r...p.%....%.r+..p.%...(&...(....*..(....*&...(....*&...(....*.0..)........{.........('...t......|......(...+...3.*....0..)........{.........()...t......|......(...+...3.

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):710192
                                                                                                                                                                                                                                                                          Entropy (8bit):5.96048066969898
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12288:3BARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTUU:3BA/ZTvQD0XY0AJBSjRlXP36RMGV
                                                                                                                                                                                                                                                                          MD5:2C4D25B7FBD1ADFD4471052FA482AF72
                                                                                                                                                                                                                                                                          SHA1:FD6CD773D241B581E3C856F9E6CD06CB31A01407
                                                                                                                                                                                                                                                                          SHA-256:2A7A84768CC09A15362878B270371DAAD9872CAACBBEEBE7F30C4A7ED6C03CA7
                                                                                                                                                                                                                                                                          SHA-512:F7F94EC00435466DB2FB535A490162B906D60A3CFA531A36C4C552183D62D58CCC9A6BB8BBFE39815844B0C3A861D3E1F1178E29DBCB6C09FA2E6EBBB7AB943A
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ......J.....`.....................................O.......................0(.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:Zip archive data, at least v4.5 to extract, compression method=deflate
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):384542
                                                                                                                                                                                                                                                                          Entropy (8bit):7.999374626035649
                                                                                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                                                                                          SSDEEP:6144:viqRTU5exRWDCtTLvL0XRFJE9A+BQlv9I+NBsNQvaNXvhGf1mzVeUXJLo:vil/DSLvAJ6CxBHmJXVpJLo
                                                                                                                                                                                                                                                                          MD5:4A09A87D2004DAC4B00687E9C9F15036
                                                                                                                                                                                                                                                                          SHA1:C78BB288E7A96642093ABE44CB9B7BBD3EC447BA
                                                                                                                                                                                                                                                                          SHA-256:2DBC8CF2592604C09793CBED61E0B072B1B1FFA375FB3C9ABCA83FA0E18AB9A5
                                                                                                                                                                                                                                                                          SHA-512:F555F5A0BB80514BC71BB33A77620D28A9E6715E538372AAA7F0500BC8D5BFE8511F5CA982E15304422479FF693E6F38510D6616A94580FC1B105DD2DA605EAA
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:PK..-......9lY...}........=...AgentPackageAgentInformation/AgentPackageAgentInformation.exe....(...................,...1.9>ks'6.s+a.....q!b.N......C...... $..:-u.&.......@~...!s.....}...;.._.0.A.... S.....P...(/.Lc..v.!......CH....(..j..T..4m.ty...........;.uj.Dv2..m...`v._....?. ..W.....O.|.EgdF..vL.^../..?!e../eRs..{.[.m........q$0..o..%..2..._....IW`m>".~6.y....w....G.z.v..~.t.#.mg.l7..6#..W..........V..#..........l|.K..=.&q=3y.g..KL.x`.D.L.,..l..Qw...^lSr#\.=...`'&..A.>.ME`..!....g.z....A../........6.||..-.....,...I.3.n.P..%..}oZ.~.'..q]JY)...G]Z=.^..2..[c.t.O5DI.O.H..{>....+n.'...!..#z..(F.Ue."...#.........z....L..tLv.3.8?..t\-..h.e.S.^W.....W..z.....Y|....P.....&.6.\5cs..X....F.......~a...Z@5.@....}....o...8B.?...r.....kS....`iT.q-)8.~.YU....w.kh.]......V..OZEI..@...>.9.......B76.O...b.7.u..kh.L.$....Q...F2^.J.L.C<"m.c..X..-...XQ...P=2.e/.fA...8..a...z...w8W.^w-..[!....QI}:2.?..K....34....}"...........\.%.X.j@G..4...f....<..v@.`.w

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):177704
                                                                                                                                                                                                                                                                          Entropy (8bit):5.814572246989157
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3072:2DpvOyLSson7aezB53Pbsk4GJCMA1TSuAehuZ7f2lz8/Cvolc3a:2D4y07asBx4krGSegZX3
                                                                                                                                                                                                                                                                          MD5:FD9DF72620BCA7C4D48BC105C89DFFD2
                                                                                                                                                                                                                                                                          SHA1:2E537E504704670B52CE775943F14BFBAF175C1B
                                                                                                                                                                                                                                                                          SHA-256:847D0CD49CCE4975BAFDEB67295ED7D2A3B059661560CA5E222544E9DFC5E760
                                                                                                                                                                                                                                                                          SHA-512:47228CBDBA54CD4E747DBA152FEB76A42BFC6CD781054998A249B62DD0426C5E26854CE87B6373F213B4E538A62C08A89A488E719E2E763B7B968E77FBF4FC02
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....2g.........."...0................. ........@.. ..............................y.....`.....................................O.......................((..........X................................................ ............... ..H............text...0.... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H...................,....................................................0..........r...p... .....r...p.(.....o......(.....o......(.....o...........s......[o .....s!...%.o".......o#.....s$..........s%...%......io&...%o'.....o(.......o)...o).....(*...*..0..........r...p... .....r...p.(.....o......(.....o.......(+..........s......[o .....s!...%.o".......o,.......s-..........s%......i.l.....%......io........o)...o)...(.........o/...*..(0...*..{....*"..}....*..{....*"..}....*..{.

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):546
                                                                                                                                                                                                                                                                          Entropy (8bit):5.048902065665432
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12:MMHdG3VSQg9LNFF7ap+5v5OXrRf/2//FicYo4xm:JdASPF7NhOXrRH2/d9r
                                                                                                                                                                                                                                                                          MD5:158FB7D9323C6CE69D4FCE11486A40A1
                                                                                                                                                                                                                                                                          SHA1:29AB26F5728F6BA6F0E5636BF47149BD9851F532
                                                                                                                                                                                                                                                                          SHA-256:5E38EF232F42F9B0474F8CE937A478200F7A8926B90E45CB375FFDA339EC3C21
                                                                                                                                                                                                                                                                          SHA-512:7EEFCC5E65AB4110655E71BC282587E88242C15292D9C670885F0DAAE30FA19A4B059390EB8E934607B8B14105E3E25D7C5C1B926B6F93BDD40CBD284AAA3CEB
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Preview:.<?xml version="1.0" encoding="utf-8"?>..<configuration>.. <startup>...<supportedRuntime version="v4.0" />.. <supportedRuntime version="v2.0.50727" />.. </startup>.. <runtime>.. <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">.. <dependentAssembly>.. <assemblyIdentity name="Newtonsoft.Json" publicKeyToken="30ad4fe6b2a6aeed" culture="neutral" />.. <bindingRedirect oldVersion="0.0.0.0-13.0.0.0" newVersion="13.0.0.0" />.. </dependentAssembly>.. </assemblyBinding>.. </runtime>..</configuration>..

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:ASCII text, with no line terminators
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):12
                                                                                                                                                                                                                                                                          Entropy (8bit):3.584962500721156
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3:WhWbn:WCn
                                                                                                                                                                                                                                                                          MD5:EB053699FC80499A7185F6D5F7D55BFE
                                                                                                                                                                                                                                                                          SHA1:9700472D22B1995C320507917FA35088AE4E5F05
                                                                                                                                                                                                                                                                          SHA-256:BCE3DFDCA8F0B57846E914D497F4BB262E3275F05EA761D0B4F4B778974E6967
                                                                                                                                                                                                                                                                          SHA-512:D66FA39C69D9C6448518CB9F98CBDAD4CE5E93CEEF8D20CE0DEEF91FB3E512B5D5A9458F7B8A53D4B68D693107872C5445E99F87C948878F712F8A79BC761DBF
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:version=38.0

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):96808
                                                                                                                                                                                                                                                                          Entropy (8bit):6.1799972918389185
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:1536:UJt7dqUlizL21LDdeOKTfLz2L506wFj/XxFoKjhJG/50vks00UfgfgvO1762A:UQUm2H5KTfOLgxFJjE50vksVUfPvO1W
                                                                                                                                                                                                                                                                          MD5:E2A9291940753244C88CB68D28612996
                                                                                                                                                                                                                                                                          SHA1:BAD8529A85C32E5C26C907CFB2FB0DA8461407AE
                                                                                                                                                                                                                                                                          SHA-256:6565E67D5DB582B3DE0B266EB59A8ACEC7CDF9943C020CB6879833D8BD784378
                                                                                                                                                                                                                                                                          SHA-512:F07669A3939E3E6B5A4D90C3A5B09CA2448E8E43AF23C08F7A8621817A49F7B0F5956D0539333A6DF334CC3E517255242E572EAEF02A7BBF4BC141A438BF9EB9
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, Author: Joe Security
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....0.d.........." ..0..H..........zf... ........... ..............................Y.....`.................................(f..O.......8............R..((...........d............................................... ............... ..H............text....F... ...H.................. ..`.rsrc...8............J..............@..@.reloc...............P..............@..B................\f......H........k..D............................................................0..>.......~........o....~......(....&.s.......&...~....(....,..(....&..*...........$...........'........(....*.......*.0..4.......(....o....r...p(....r...p(..........(....(......&..*........00......:.(......}....*..0..Z............( ...,......(!...*~..........("........( ...-..(....s#...........,..($.........(!...*..........&E.......0..G........{....,.(......5~%...r'..po&...rm..pr...po'...tR...r...p((..

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):704552
                                                                                                                                                                                                                                                                          Entropy (8bit):5.953959038895453
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12288:/9BzaPm657wqehcZBLX+HK+kPJUQEKx07N0TCBGiBCjC0PDgM5j9FKjc3i:/8m657w6ZBLmkitKqBCjC0PDgM5y
                                                                                                                                                                                                                                                                          MD5:3EF8D12AA1D48DEC3AC19A0CEABD4FD8
                                                                                                                                                                                                                                                                          SHA1:C81B7229A9BD55185A0EDCCB7E6DF3B8E25791CF
                                                                                                                                                                                                                                                                          SHA-256:18C1DDBDBF47370CC85FA2CF7BA043711AB3EADBD8DA367638686DFD6B735C85
                                                                                                                                                                                                                                                                          SHA-512:0FF2E8DBFEF7164B22F9AE9865E83154096971C3F0B236D988AB947E803C1ED03D86529AB80D2BE9FF33AF305D34C9B30082F8C26E575F0979CA9287B415F9F9
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................" ..0.................. ........... ...............................C....`.....................................O.......................((.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H........{...,..................d.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X.+....b...aX...X...2.....cY.....cY....cY...{...._..{........+,..{^....3...{]......(....,...{]...*..{_.......-..*...0...........-.r...ps....z.o......-.~....*.~....X...+....b..

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):602672
                                                                                                                                                                                                                                                                          Entropy (8bit):6.145404526272746
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:6144:UShQrHBJEwJiIJJ8TihsEWdzs29glRleqn4uRTJgwhVHhoNw0r17K7DDaiC3KM+9:gHDxJGihsEKwSuTuwvOWgFA
                                                                                                                                                                                                                                                                          MD5:17D74C03B6BCBCD88B46FCC58FC79A0D
                                                                                                                                                                                                                                                                          SHA1:BC0316E11C119806907C058D62513EB8CE32288C
                                                                                                                                                                                                                                                                          SHA-256:13774CC16C1254752EA801538BFB9A9D1328F8B4DD3FF41760AC492A245FBB15
                                                                                                                                                                                                                                                                          SHA-512:F1457A8596A4D4F9B98A7DCB79F79885FA28BD7FC09A606AD3CD6F37D732EC7E334A64458E51E65D839DDFCDF20B8B5676267AA8CED0080E8CF81A1B2291F030
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...X............." ..0............." ... ...@....... ....................................`.....................................O....@..|...............0(...`..........T............................................ ............... ..H............text...(.... ...................... ..`.rsrc...|....@......................@..@.reloc.......`......................@..B................. ......H............{..................x.......................................r.(......}......}......}....*....0..,........-..{.....o...+.+..{.....{....s.....o...+..*V.(......}......}....*...0...................-..+..o....s"........o$......o,....,..o....,...,....o(........,...oH...,...o......+.......9......o....,..{......o....o....o......s..........o&...8.....{......o....o........9e.....o.....?X.....r...po....9G.....r...po....o....r...p.( ...9&.....r...po....9......r...po....o.....

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):73264
                                                                                                                                                                                                                                                                          Entropy (8bit):5.954475034553661
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:1536:6784YWac+abptsy5VyYc/9n1RcGxzeeUVn9KyQgHo0JuresehaAR7HxRq:67N1r9KGI04CCARLq
                                                                                                                                                                                                                                                                          MD5:F4D9D65581BD82AF6108CFA3DD265A9A
                                                                                                                                                                                                                                                                          SHA1:A926695B1E5D3842D8345C56C087E58845307A16
                                                                                                                                                                                                                                                                          SHA-256:A3219CD30420EBCF7507C9C9F92FD551AE19999BE247CAA861A8A22D265BE379
                                                                                                                                                                                                                                                                          SHA-512:144C1195A440907592B22FC947F4284CA36869BDAE495EC8CA5212AF4F63E8E8492FB0EC3B37BF66DB912AF30864C69588D0E35ED9B3D24D36DF3B09DDB5B6C3
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....>.Z.........." ..0.................. ... ....... .......................`.......f....@.....................................O.... ..P...............0(...@..........8............................................ ............... ..H............text........ ...................... ..`.rsrc...P.... ......................@..@.reloc.......@......................@..B........................H.......$...h...........................................................6..o.........*f..o...........o.........*...o...........o...........o.........*...o...........o ..........o!...........o"........*...o#..........o$..........o%...........o&...........o'........*....0..L.........o(..........o)..........o*...........o+...........o,...........o-........*.0..Y.........o...........o/..........o0...........o1...........o2...........o3...........o4.... ...*....0..k.........o5....

                                                                                                                                                                                                                                                                          C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):214
                                                                                                                                                                                                                                                                          Entropy (8bit):5.239584367190541
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3:A02GeUMrMui9wqWluiKFHnFSLRg42VVnItFafkRcfocpjcQvBsMVOTFiV2D2y:A1Hg9w3pKFSQRIkk6fBvOTFvDX
                                                                                                                                                                                                                                                                          MD5:AA0EF9FB33327140C65A352D582CB4A6
                                                                                                                                                                                                                                                                          SHA1:F5D3D34096B08D548BF01759D230FCD671584844
                                                                                                                                                                                                                                                                          SHA-256:29AE89E1350AB881DED4D5208B7145C2BB08896B145D9B6FFD7E9A34F5BC3AE0
                                                                                                                                                                                                                                                                          SHA-512:28CDC9F1044AB7A04C21A3FA57F58FCAC3FAB512A39F5970393D62ACBAAD736A6E9317C81654453437C9CF8840F51A069E9F006A6DF049CA7CFFC9A226D99ED7
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:/i /IntegratorLogin=Salim.Jami@korektel.com /CompanyId=1 /IntegratorLoginUI= /CompanyIdUI= /FolderId= /AccountId=001Q300000KANvwIAH /AgentId=1db40f91-941c-4bcb-961d-1fe2982e82b6.24/11/2024 05:16:16 Trace Starting..

                                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AteraAgent.exe.log

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:CSV text
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):2402
                                                                                                                                                                                                                                                                          Entropy (8bit):5.362731083469072
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:48:MxHKQg8mHDp684IHTQ06YHKGSI6oPtHTHhAHKKk+HKlT4v1qHGIs0HKaHKmTHlH7:iqzCIzQ06YqGSI6oPtzHeqKk+qZ4vwme
                                                                                                                                                                                                                                                                          MD5:28B4BFE9130A35038BD57B2F89847BAE
                                                                                                                                                                                                                                                                          SHA1:8DBF9D2800AB08CCA18B4BA00549513282B774A9
                                                                                                                                                                                                                                                                          SHA-256:19F498CAE589207075B8C82D7DACEAE23997D61B93A971A4F049DC14C8A3D514
                                                                                                                                                                                                                                                                          SHA-512:02100FD4059C4D32FBAAA9CEAACB14C50A4359E4217203B2F7A40E298AD819ED5469F2442291F12852527A2B7109CC5F7BFF7FDAD53BA5ABF75FC5F0474E984F
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Confe64a9051#\434f871c532673e1359654ad68a1c225\System.Configuration.Install.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\a

                                                                                                                                                                                                                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:CSV text
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):651
                                                                                                                                                                                                                                                                          Entropy (8bit):5.343677015075984
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yiv:ML9E4KlKDE4KhKiKhPKIE4oKNzKoM
                                                                                                                                                                                                                                                                          MD5:7EEF860682F76EC7D541A8C1A3494E3D
                                                                                                                                                                                                                                                                          SHA1:58D759A845D2D961A5430E429EF777E60C48C87E
                                                                                                                                                                                                                                                                          SHA-256:65E958955AC5DBB7D7AD573EB4BB36BFF4A1DC52DD16CF79A5F7A0FA347727F1
                                                                                                                                                                                                                                                                          SHA-512:BF7767D55F624B8404240953A726AA616D0CE60EC1B3027710B919D6838EFF7281A79B49B22AB8B065D8CA921EF4D09017A0991CB4A21DAF09B3B43E6698CB04
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..

                                                                                                                                                                                                                                                                          C:\Windows\Installer\3ac317.msi

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):2994176
                                                                                                                                                                                                                                                                          Entropy (8bit):7.878667565018582
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:49152:q+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:q+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                                                          MD5:391A7DCF2FF4AF032A8DE9B5BFC5B7D9
                                                                                                                                                                                                                                                                          SHA1:22E2261C6E65F3D95406E66C77D3942D51790417
                                                                                                                                                                                                                                                                          SHA-256:E652634F90F23553D56FA937227C039F8769F9509051A434A14990785A8AB57F
                                                                                                                                                                                                                                                                          SHA-512:5ADF800ADC213F114A282B0FF29E33E14B70E66DC685A31826E497A6344961DE1B7DBF5412B3539EB6EE5ABC223BE8209953352FD6F9A4F2CBAAAFC3F4770C44
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\3ac319.msi

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):2994176
                                                                                                                                                                                                                                                                          Entropy (8bit):7.878667565018582
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:49152:q+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:q+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                                                          MD5:391A7DCF2FF4AF032A8DE9B5BFC5B7D9
                                                                                                                                                                                                                                                                          SHA1:22E2261C6E65F3D95406E66C77D3942D51790417
                                                                                                                                                                                                                                                                          SHA-256:E652634F90F23553D56FA937227C039F8769F9509051A434A14990785A8AB57F
                                                                                                                                                                                                                                                                          SHA-512:5ADF800ADC213F114A282B0FF29E33E14B70E66DC685A31826E497A6344961DE1B7DBF5412B3539EB6EE5ABC223BE8209953352FD6F9A4F2CBAAAFC3F4770C44
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSI1EC.tmp

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                          Category:modified
                                                                                                                                                                                                                                                                          Size (bytes):521954
                                                                                                                                                                                                                                                                          Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                          MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                          SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                          SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                          SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):25600
                                                                                                                                                                                                                                                                          Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                                                          MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                                                          SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                                                          SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                                                          SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSI1EC.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSI1EC.tmp-\CustomAction.config

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):1538
                                                                                                                                                                                                                                                                          Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                                                          MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                                                          SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                                                          SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                                                          SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSI1EC.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):184240
                                                                                                                                                                                                                                                                          Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                                                          MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                                                          SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                                                          SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                                                          SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSI1EC.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):711952
                                                                                                                                                                                                                                                                          Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                                                          MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                                                          SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                                                          SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                                                          SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSI1EC.tmp-\System.Management.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):61448
                                                                                                                                                                                                                                                                          Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                                                          MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                                                          SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                                                          SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                                                          SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSIC52A.tmp

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):521954
                                                                                                                                                                                                                                                                          Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                          MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                          SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                          SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                          SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSIC52A.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):25600
                                                                                                                                                                                                                                                                          Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                                                          MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                                                          SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                                                          SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                                                          SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIC52A.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSIC52A.tmp-\CustomAction.config

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):1538
                                                                                                                                                                                                                                                                          Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                                                          MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                                                          SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                                                          SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                                                          SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSIC52A.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):184240
                                                                                                                                                                                                                                                                          Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                                                          MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                                                          SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                                                          SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                                                          SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSIC52A.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):711952
                                                                                                                                                                                                                                                                          Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                                                          MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                                                          SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                                                          SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                                                          SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSIC52A.tmp-\System.Management.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):61448
                                                                                                                                                                                                                                                                          Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                                                          MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                                                          SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                                                          SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                                                          SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSIC932.tmp

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):521954
                                                                                                                                                                                                                                                                          Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                          MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                          SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                          SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                          SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):25600
                                                                                                                                                                                                                                                                          Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                                                          MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                                                          SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                                                          SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                                                          SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIC932.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSIC932.tmp-\CustomAction.config

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):1538
                                                                                                                                                                                                                                                                          Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                                                          MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                                                          SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                                                          SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                                                          SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSIC932.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):184240
                                                                                                                                                                                                                                                                          Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                                                          MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                                                          SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                                                          SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                                                          SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSIC932.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):711952
                                                                                                                                                                                                                                                                          Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                                                          MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                                                          SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                                                          SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                                                          SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSIC932.tmp-\System.Management.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):61448
                                                                                                                                                                                                                                                                          Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                                                          MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                                                          SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                                                          SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                                                          SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSIE1CC.tmp

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows, InstallShield self-extracting archive
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):521954
                                                                                                                                                                                                                                                                          Entropy (8bit):7.356225107100806
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12288:GnBaimP+DJLxQb6CBCldjCaOIM7PmD8WoKO2qHxf:kG2D3QbCldj1MK/tzG
                                                                                                                                                                                                                                                                          MD5:88D29734F37BDCFFD202EAFCDD082F9D
                                                                                                                                                                                                                                                                          SHA1:823B40D05A1CAB06B857ED87451BF683FDD56A5E
                                                                                                                                                                                                                                                                          SHA-256:87C97269E2B68898BE87B884CD6A21880E6F15336B1194713E12A2DB45F1DCCF
                                                                                                                                                                                                                                                                          SHA-512:1343ED80DCCF0FA4E7AE837B68926619D734BC52785B586A4F4102D205497D2715F951D9ACACC8C3E5434A94837820493173040DC90FB7339A34B6F3EF0288D0
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..................'P\....'P^....'P_...........................>.......4..................R......:...........Rich...........................PE..L....o.]...........!.....D...|.......L.......`......................................S#....@.........................0}...*......x.......d.......................4... s..T...........................xs..@............`..l............................text....B.......D.................. ..`.rdata...Q...`...R...H..............@..@.data...p...........................@....rsrc...d...........................@..@.reloc..4...........................@..B................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSIE1CC.tmp-\AlphaControlAgentInstallation.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):25600
                                                                                                                                                                                                                                                                          Entropy (8bit):5.009968638752024
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:384:akuS4rIWmFo967HkYc/4CmvZqVZa9VSlkfO2IROklJhwaHr1LpvTVi:RuVs3bXCmvZqu3u9OiNL1LpvTs
                                                                                                                                                                                                                                                                          MD5:AA1B9C5C685173FAD2DABEBEB3171F01
                                                                                                                                                                                                                                                                          SHA1:ED756B1760E563CE888276FF248C734B7DD851FB
                                                                                                                                                                                                                                                                          SHA-256:E44A6582CD3F84F4255D3C230E0A2C284E0CFFA0CA5E62E4D749E089555494C7
                                                                                                                                                                                                                                                                          SHA-512:D3BFB4BD7E7FDB7159FBFC14056067C813CE52CDD91E885BDAAC36820B5385FB70077BF58EC434D31A5A48245EB62B6794794618C73FE7953F79A4FC26592334
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIE1CC.tmp-\AlphaControlAgentInstallation.dll, Author: Joe Security
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...R..e.........." ..0..Z..........Bx... ........... ....................................`..................................w..O....................................v............................................... ............... ..H............text...HX... ...Z.................. ..`.rsrc................\..............@..@.reloc...............b..............@..B................$x......H........5...A............................................................(....r...p(.....s....o....,.r;..p(....(.... ....*r...p(.....*..0..M........(....r...p(.....s@...oA...,$(H...-..s'...r...pr;..p.o(.....o....r[..p(.....*....0..N........(....r...p(.....o....r...p..o....,..,..~.....o....,..*.s+...o,...r...p(.....*..(....r...p(.....s>...o?...rE..p(.....*..(....rm..p(.....s'...r...p..o(...r...p(.....*..(....r...p(.....s'...r...p..o(...r;..p(.....*..(....r]..p(.....s'...r...p

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSIE1CC.tmp-\CustomAction.config

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):1538
                                                                                                                                                                                                                                                                          Entropy (8bit):4.735670966653348
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:24:2dhmhx0PY6Iee7LfKhT06XWslTh17jJB+aZtG9jDqRp:c0nd5t7q7WsFD7t3tG96n
                                                                                                                                                                                                                                                                          MD5:BC17E956CDE8DD5425F2B2A68ED919F8
                                                                                                                                                                                                                                                                          SHA1:5E3736331E9E2F6BF851E3355F31006CCD8CAA99
                                                                                                                                                                                                                                                                          SHA-256:E4FF538599C2D8E898D7F90CCF74081192D5AFA8040E6B6C180F3AA0F46AD2C5
                                                                                                                                                                                                                                                                          SHA-512:02090DAF1D5226B33EDAAE80263431A7A5B35A2ECE97F74F494CC138002211E71498D42C260395ED40AEE8E4A40474B395690B8B24E4AEE19F0231DA7377A940
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:<?xml version="1.0" encoding="utf-8" ?>..<configuration>.. <startup useLegacyV2RuntimeActivationPolicy="true">.... .. Use supportedRuntime tags to explicitly specify the version(s) of the .NET Framework runtime that.. the custom action should run on. If no versions are specified, the chosen version of the runtime.. will be the "best" match to what Microsoft.Deployment.WindowsInstaller.dll was built against..... WARNING: leaving the version unspecified is dangerous as it introduces a risk of compatibility.. problems with future versions of the .NET Framework runtime. It is highly recommended that you specify.. only the version(s) of the .NET Framework runtime that you have tested against..... Note for .NET Framework v3.0 and v3.5, the runtime version is still v2.0..... In order to enable .NET Framework version 2.0 runtime activation policy, which is to load all assemblies.. by using the latest

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSIE1CC.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):184240
                                                                                                                                                                                                                                                                          Entropy (8bit):5.876033362692288
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3072:BGfZS7hUuK3PcbFeRRLxyR69UgoCaf8+aCnfKlRUjW01KymkO:9zMRLkR6joxfRPW
                                                                                                                                                                                                                                                                          MD5:1A5CAEA6734FDD07CAA514C3F3FB75DA
                                                                                                                                                                                                                                                                          SHA1:F070AC0D91BD337D7952ABD1DDF19A737B94510C
                                                                                                                                                                                                                                                                          SHA-256:CF06D4ED4A8BAF88C82D6C9AE0EFC81C469DE6DA8788AB35F373B350A4B4CDCA
                                                                                                                                                                                                                                                                          SHA-512:A22DD3B7CF1C2EDCF5B540F3DAA482268D8038D468B8F00CA623D1C254AFFBBC1446E5BD42ADC3D8E274BE3BA776B0034E179FACCD9AC8612CCD75186D1E3BF1
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....o.].........." ..0...... ......z.... ........... ....................................@.................................(...O................................................................................... ............... ..H............text....w... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSIE1CC.tmp-\Newtonsoft.Json.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):711952
                                                                                                                                                                                                                                                                          Entropy (8bit):5.96669864901384
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12288:WBARJBRZl/j1TbQ7n5WLm4k0X57ZYrgNHgK9C1BSjRlXP36RMGy1NqTU+:WBA/ZTvQD0XY0AJBSjRlXP36RMG7
                                                                                                                                                                                                                                                                          MD5:715A1FBEE4665E99E859EDA667FE8034
                                                                                                                                                                                                                                                                          SHA1:E13C6E4210043C4976DCDC447EA2B32854F70CC6
                                                                                                                                                                                                                                                                          SHA-256:C5C83BBC1741BE6FF4C490C0AEE34C162945423EC577C646538B2D21CE13199E
                                                                                                                                                                                                                                                                          SHA-512:BF9744CCB20F8205B2DE39DBE79D34497B4D5C19B353D0F95E87EA7EF7FA1784AEA87E10EFCEF11E4C90451EAA47A379204EB0533AA3018E378DD3511CE0E8AD
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...D.}..........." ..0.................. ........... ....................... ............`.....................................O......................../.............T............................................ ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B.......................H.......d....9..................h.........................................(....*..(....*^.(...........%...}....*:.(......}....*:.(......}....*..(....*:.(......}....*..{....*..(....*..(....*:.(......}....*..{....*.(.........*....}.....(......{.....X.....}....*..0...........-.~....*.~....X....b...aX...X...X..+....b....aX....X.....2.....cY.....cY....cY..|....(......._..{........+,..{|....3...{{......(....,...{{...*..{}.......-..*...0...........-.r...ps....z.o......-.~....*.~....

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSIE1CC.tmp-\System.Management.dll

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):61448
                                                                                                                                                                                                                                                                          Entropy (8bit):6.332072334718381
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:768:xieZDWtg+ESsRTgCayrMkp6SEI9016UJKdi1diF55U/h:xwg+ESsVgCayY/pYgwkd0Eh
                                                                                                                                                                                                                                                                          MD5:878E361C41C05C0519BFC72C7D6E141C
                                                                                                                                                                                                                                                                          SHA1:432EF61862D3C7A95AB42DF36A7CAF27D08DC98F
                                                                                                                                                                                                                                                                          SHA-256:24DE61B5CAB2E3495FE8D817FB6E80094662846F976CF38997987270F8BBAE40
                                                                                                                                                                                                                                                                          SHA-512:59A7CBB9224EE28A0F3D88E5F0C518B248768FF0013189C954A3012463E5C0BA63A7297497131C9C0306332646AF935DD3A1ACF0D3E4E449351C28EC9F1BE1FA
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....bP.........." ..................... .........c. ....................... ......>.....`.....................................O.......\................>........................................................... ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H........"..`...........D....".......................................................................................0...............0.......................................................................0...............................................................................................................................................0...............0...................................................0...............0..............................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSIE5D4.tmp

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):437312
                                                                                                                                                                                                                                                                          Entropy (8bit):6.648061560167878
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12288:Lt3jOZy2KsGU6a4Ksht3jOZy2KsGU6a4KsM:ZzOE2Z34KGzOE2Z34KX
                                                                                                                                                                                                                                                                          MD5:B75C43F36BDA8BC2FAA29BEB3A32285F
                                                                                                                                                                                                                                                                          SHA1:00E816227A29A5255DA881EBBFDA35AB942AD4BA
                                                                                                                                                                                                                                                                          SHA-256:A02F0FB0F6C48AD33F3FE4B6ED3FAB7E278D002BA531BF1672D0503DB996FE70
                                                                                                                                                                                                                                                                          SHA-512:4A2F470DC8AC92F271EBC090E6FB7711028524B4069CC71077C6924CF742255E0DF9FAC33626B324B12A65094780B4E4BFC263C24F983085F6881379C7B9BCF0
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\MSIE5D4.tmp, Author: Joe Security
                                                                                                                                                                                                                                                                          Preview:...@IXOS.@.....@.*xY.@.....@.....@.....@.....@.....@......&.{E732A0D7-A2F2-4657-AC41-B19742648E45}..AteraAgent..Digital.msi.@.....@.....@.....@........&.{721AD955-79FD-4019-BBF5-9DCC4C1175BB}.....@.....@.....@.....@.......@.....@.....@.......@......AteraAgent......Rollback..Rolling back action:..[1]..RollbackCleanup..Removing backup files..File: [1]...@.......@........StopAteraServiceQuiet....J...StopAteraServiceQuiet.@A......M..MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[......................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSIE5E5.tmp

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):216496
                                                                                                                                                                                                                                                                          Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                                                          MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                                                          SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                                                          SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                                                          SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSIE77C.tmp

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):216496
                                                                                                                                                                                                                                                                          Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                                                          MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                                                          SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                                                          SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                                                          SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\MSIE8F4.tmp

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):216496
                                                                                                                                                                                                                                                                          Entropy (8bit):6.646208142644182
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3072:/Jz/kyKA1X1dxbOZU32KndB4GLvyui2lhQtEaY4IDflQn0xHuudQ+cxEHSiZxaQ:/t/kE1jOZy2KL4GBiwQtEa4L2sV
                                                                                                                                                                                                                                                                          MD5:A3AE5D86ECF38DB9427359EA37A5F646
                                                                                                                                                                                                                                                                          SHA1:EB4CB5FF520717038ADADCC5E1EF8F7C24B27A90
                                                                                                                                                                                                                                                                          SHA-256:C8D190D5BE1EFD2D52F72A72AE9DFA3940AB3FACEB626405959349654FE18B74
                                                                                                                                                                                                                                                                          SHA-512:96ECB3BC00848EEB2836E289EF7B7B2607D30790FFD1AE0E0ACFC2E14F26A991C6E728B8DC67280426E478C70231F9E13F514E52C8CE7D956C1FAD0E322D98E0
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Antivirus:
                                                                                                                                                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                                                                                                          Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........................^.......\......].........................,.......<.........L...'.....'.....'.P.......8.....'.....Rich............................PE..L...Ap.]...........!.........P............................................................@.........................@................P..x....................`..........T...............................@...............<............................text...[........................... ..`.rdata..............................@..@.data...."... ......................@....rsrc...x....P......................@..@.reloc.......`......................@..B........................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):20480
                                                                                                                                                                                                                                                                          Entropy (8bit):1.163083130597649
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12:JSbX72Fjt6AGiLIlHVRpY5h/7777777777777777777777777vDHFfMxdcZDv4p9:Jv6QI5eJMT4DvNF
                                                                                                                                                                                                                                                                          MD5:5D8C124A5BA829195FC03D401781F7FD
                                                                                                                                                                                                                                                                          SHA1:FACC5C8EE960562E0447570279C6346055860C45
                                                                                                                                                                                                                                                                          SHA-256:4FA2689284CB1CD8709F920B6633DFB725921EE674F4F9398E1346AE90CF3A4A
                                                                                                                                                                                                                                                                          SHA-512:F31B1DB43484589F902C3C1942CAEEFD694D8BD7FC67BF7018582496A2AA45F535D987477CA5B3C71FA95D3DA552AC96A9EA57C3A5E591E93E0CC1CD999AF302
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Installer\inprogressinstallinfo.ipi

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):20480
                                                                                                                                                                                                                                                                          Entropy (8bit):1.559314386709612
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:48:bJ8PhluRc06WXJeFT5SsxqISoedGPdGftrpDStedGPdGRubeDn:Ahl11FTcssISo6D
                                                                                                                                                                                                                                                                          MD5:40B833DF799A52BB524C0E591ED0F533
                                                                                                                                                                                                                                                                          SHA1:CF6A16340CE8DF8C4B16F733169659E8A7FB61D8
                                                                                                                                                                                                                                                                          SHA-256:B2680AB32E171663A1CF9138A0CFDF0F6F8170980153D5F711CEAFCDAB0AAEC6
                                                                                                                                                                                                                                                                          SHA-512:D2BFD58192B7889A17AE41446497D6B8EC7C66BF8CE88E772137C7B9E9B00075CE84F0A985C05A453ABA5A4A3E896D05CB4C438735EF826F010C8800974C9D50
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Installer\inprogressinstallinfo.ipi, Author: Joe Security
                                                                                                                                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):360001
                                                                                                                                                                                                                                                                          Entropy (8bit):5.362987288439442
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:1536:6qELG7gK+RaOOp3LCCpfmLgYI66xgFF9Sq8K6MAS2OMUHl6Gin327D22A26KgauU:zTtbmkExhMJCIpEB
                                                                                                                                                                                                                                                                          MD5:391B5428E927A7CA653828462B1F6310
                                                                                                                                                                                                                                                                          SHA1:4FB7ECA6F9CA9409BBE3593A2DB5A184D496F57D
                                                                                                                                                                                                                                                                          SHA-256:35A7088F0702CA669113919FF646281E48F8B4E1071E9A75F77D94C697739F36
                                                                                                                                                                                                                                                                          SHA-512:71E1092401CAB10266DA727994FC3A897297BEDB930B10057E9B33D8E112CDBEFE05F57D6C3A375BF7FE6D76654AE4B7272B2FB6D4D2983728377586EAD7F000
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:.To learn about increasing the verbosity of the NGen log files please see http://go.microsoft.com/fwlink/?linkid=210113..12/07/2019 14:54:22.458 [5488]: Command line: D:\wd\compilerTemp\BMT.200yuild.1bk\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems /nologo ..12/07/2019 14:54:22.473 [5488]: Executing command from offline queue: install "System.Runtime.WindowsRuntime.UI.Xaml, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=b77a5c561934e089, processorArchitecture=msil" /NoDependencies /queue:1..12/07/2019 14:54:22.490 [5488]: Executing command from offline queue: install "System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil" /NoDependencies /queue:3..12/07/2019 14:54:22.490 [5488]: Exclusion list entry found for System.Web.ApplicationServices, Version=4.0.0.0, Culture=Neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=msil; it will not be installed..12/07/2019 14:54:22.490 [

                                                                                                                                                                                                                                                                          C:\Windows\ServiceProfiles\LocalService\AppData\Local\Temp\MpCmdRun.log

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                                                                          File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                                                                                                                                                                                                          Category:modified
                                                                                                                                                                                                                                                                          Size (bytes):2464
                                                                                                                                                                                                                                                                          Entropy (8bit):3.2483810814333283
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:24:QOaqdmuF3rcDo+kWReHgHttUKlDENh+pyMySn6tUKlDENh+pyMySwwIPVxcwIPVY:FaqdF7cU+AAHdKoqKFxcxkFCq
                                                                                                                                                                                                                                                                          MD5:19AAD0287AD424D4646C5D7C588AA97A
                                                                                                                                                                                                                                                                          SHA1:A572FB95728F8E2FAA7172F7DACE4DEA417F8004
                                                                                                                                                                                                                                                                          SHA-256:E1619BDD717D794344EB2459336596FBD45E02E41A7E67792A49287E40CFA73A
                                                                                                                                                                                                                                                                          SHA-512:6BE17898277B7A0D4BC7E438D6C4C0C69A4F2CAEDF1A1DAD4AB7851B29CCEAEE8FF7D76482F664E02F82E9A6C04C974C16E4E2FC07EBE14B8C8BD45C4DE98814
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:..........-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.....M.p.C.m.d.R.u.n.:. .C.o.m.m.a.n.d. .L.i.n.e.:. .".C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s.\.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.\.m.p.c.m.d.r.u.n...e.x.e.". .-.w.d.e.n.a.b.l.e..... .S.t.a.r.t. .T.i.m.e.:. .. S.u.n. .. N.o.v. .. 2.4. .. 2.0.2.4. .0.5.:.1.7.:.0.2.........M.p.E.n.s.u.r.e.P.r.o.c.e.s.s.M.i.t.i.g.a.t.i.o.n.P.o.l.i.c.y.:. .h.r. .=. .0.x.1.....W.D.E.n.a.b.l.e.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .W.S.C. .S.t.a.t.e. .I.n.f.o. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*. .A.n.t.i.V.i.r.u.s.P.r.o.d.u.c.t. .*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.*.....d.i.s.p.l.a.y.N.a.m.e. .=. .[.W.i.n.d.o.w.s. .D.e.f.e.n.d.e.r.].....p.a.t.h.T.o.S.i.g.n.e.d.P.r.o.d.u.c.t.E.x.e. .=. .[.w.i.n.d.o.w.s.d.

                                                                                                                                                                                                                                                                          C:\Windows\System32\InstallUtil.InstallLog

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):704
                                                                                                                                                                                                                                                                          Entropy (8bit):4.805280550692434
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12:tIDRFK4mAX7RBem7hccD+PRem7hUhiiGNGNdg6MhgRBem7hccD+PRem7hUGNGNkm:Us43XVBVhcmMRVhMipNVeBVhcmMRVhro
                                                                                                                                                                                                                                                                          MD5:EF51E16A5B81AB912F2478FE0A0379D6
                                                                                                                                                                                                                                                                          SHA1:B0F9E2EE284DD1590EA31B2D3AD736D77B9FC6A7
                                                                                                                                                                                                                                                                          SHA-256:2C5D5397CEDF66DB724FED7FB4515B026A894F517A0DFBE8AE8ADF52DB61AA22
                                                                                                                                                                                                                                                                          SHA-512:296A11DB55BFEE7D87897BB63BC9E2C05786D3FD73A894DA5AF76F7A756495C6CCC0959C88844DFB5560DE2374A257201D960E004EC09D8C9DFB50952C5EF2D2
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\System32\InstallUtil.InstallLog, Author: Joe Security
                                                                                                                                                                                                                                                                          Preview:...Running a transacted installation.....Beginning the Install phase of the installation...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Install phase completed successfully, and the Commit phase is beginning...See the contents of the log file for the C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe assembly's progress...The file is located at C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog.....The Commit phase completed successfully.....The transacted install has completed...

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1A374813EDB1A6631387E414D3E73232

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):111002
                                                                                                                                                                                                                                                                          Entropy (8bit):6.451729490748972
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:1536:kPzgm47BQL7ZMFPZ7t0zfIagnbSLDII+D61SdOkC7/:kbgN7BGFoZ7+gbE8pD61JL
                                                                                                                                                                                                                                                                          MD5:E43056855200281951812F3A6D94EFF7
                                                                                                                                                                                                                                                                          SHA1:66253EFEAE45E17339D00E2277A4E619E7E2FABC
                                                                                                                                                                                                                                                                          SHA-256:04A68A7F0A5E5AEE56899E2080B5E5C6FCC35564F470551E8FB2031C45F2B03F
                                                                                                                                                                                                                                                                          SHA-512:B98CAAD890078D0FE69F35176AB294380D98B480E6BD973DA10EE31B175E63A53C5E4DFB61405B7FAB85EA5D5FB01C4869287B70D7FE2F3F50F619C313F8911C
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:0....0...|...0...*.H........0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1..241123125041Z..241130125041Z0....0!.......0.E....[0...210531000001Z0!...7g...(..^`.x.l...210531000001Z0!...\./M.8..>.f.....210531000001Z0!...*B.Sh...f...s.0..210531000001Z0!..../n...h..7....>..210601000001Z0!....0..>5..aN.u{D..210601000001Z0!...-...qpWa.!n.....210601000001Z0!..."f...\..N.....X..210601000001Z0!......S....fNj'.wy..210602000001Z0!......C.lm..B.*.....210602000001Z0!...in.H...[u...]....210602000001Z0!......`......._.]...210602000001Z0!...{..e..i......=..210602000001Z0!... .}...|.,dk...+..210603000001Z0!...U.K....o.".Rj..210603000001Z0!.....A...K.ZpK..'h..210603000001Z0!.....&}{ ......l..210603000001Z0!...:.m...I.p.;..v..210604000001Z0!...1"uw3..Gou.qg.q..210607000001Z0!...1.o}...c/...-R}..210608000001Z0!................210608000001Z0!...[.N.d............210609000001Z0!......x..i........210610000001Z0!...(... (..#.^.f...210

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):471
                                                                                                                                                                                                                                                                          Entropy (8bit):7.187019651177751
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12:JyYOzg5GLsHzqTykJ0Ysbwsn5SWPYkq3n:JRO0ILsyJ0Y+Z5lYn
                                                                                                                                                                                                                                                                          MD5:441A4996E2EE86C4B588D8C0D407E7C2
                                                                                                                                                                                                                                                                          SHA1:0987D79EAECF4AFAD0E5C6F7BD9BD0A90CEABBD4
                                                                                                                                                                                                                                                                          SHA-256:300CFA12D5560F2B04E870FE42E15B6A2007E8F53E4CE1329BD506382075E657
                                                                                                                                                                                                                                                                          SHA-512:8D6D5BD1EA7BAAFEB8CA750CE112ED7FAD1477E1DEEF34994A145893EED217D1A9990A52D76790F8C00484378778504626E5C6A5F5193B8DA661AFDBD62600B0
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:0..........0.....+.....0......0...0......E....1-Q...!..m....20241123190516Z0s0q0I0...+...........@..D3=?..Mn8...Q..E....1-Q...!..m..........-...P..@.Z....20241123190516Z....20241130190516Z0...*.H............._......Ym...[....K..r.....D.|.7...6/.Dd...bx*8..:.#B.....-W..3K.bW...._...........E......82oTc.",...d3C...X...U.....}.&9?...+.}{~..L|........9=..\R..{*.J/..I;:.P.H.....3..*..x....>.?.Vu{r....Jx`.i..\"{.8Kz.....z.....wD.4...O.....\"y

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:Microsoft Cabinet archive data, Windows 2000/XP setup, 71954 bytes, 1 file, at 0x2c +A "authroot.stl", number 1, 6 datablocks, 0x1 compression
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):71954
                                                                                                                                                                                                                                                                          Entropy (8bit):7.996617769952133
                                                                                                                                                                                                                                                                          Encrypted:true
                                                                                                                                                                                                                                                                          SSDEEP:1536:gc257bHnClJ3v5mnAQEBP+bfnW8Ctl8G1G4eu76NWDdB34w18R5cBWcJAm68+Q:gp2ld5jPqW8LgeulxB3fgcEfDQ
                                                                                                                                                                                                                                                                          MD5:49AEBF8CBD62D92AC215B2923FB1B9F5
                                                                                                                                                                                                                                                                          SHA1:1723BE06719828DDA65AD804298D0431F6AFF976
                                                                                                                                                                                                                                                                          SHA-256:B33EFCB95235B98B48508E019AFA4B7655E80CF071DEFABD8B2123FC8B29307F
                                                                                                                                                                                                                                                                          SHA-512:BF86116B015FB56709516D686E168E7C9C68365136231CC51D0B6542AE95323A71D2C7ACEC84AAD7DCECC2E410843F6D82A0A6D51B9ACFC721A9C84FDD877B5B
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:MSCF............,...................I..................XaK .authroot.stl.[.i..6..CK..<Tk......4.cl!Kg..E..*Y.f_..".$mR"$.J.E.KB."..rKv.."{.g....3.W.....c..9.s...=....y6#..x..........D......\(.#.s.!.A.......cd.c........+^.ov...n.....3BL..0.......BPUR&.X..02.q...R...J.....w.....b.vy>....-.&..(..oe."."...J9...0U.6J..|U..S.....M.F8g...=.......p...........l.?3.J.x.G.Ep..$g..tj......)v]9(:.)W.8.Op.1Q..:.nPd........7.7..M].V F..g.....12..!7(...B.......h.RZ.......l.<.....6..Z^.`p?... .p.Gp.#.'.X..........|!.8.....".m.49r?.I...g...8.v.....a``.g.R4.i...J8q....NFW,E.6Y....!.o5%.Y.....R..<..S9....r....WO...(.....F..Q=*....-..7d..O(....-..+k.........K..........{Q....Z..j._.E...QZ.~.\.^......N.9.k..O.}dD.b1r...[}/....T..E..G..c.|.c.&>?..^t. ..;..X.d.E.0G....[Q.*,*......#.Dp..L.o|#syc.J............}G-.ou6.=52..XWi=...m.....^u......c..fc?&pR7S5....I...j.G........j.j..Tc.El.....B.pQ.,Bp....j...9g.. >..s..m#.Nb.o_u.M.V...........\#...v..Mo\sF..s....Y...

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:Certificate, Version=3
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):1716
                                                                                                                                                                                                                                                                          Entropy (8bit):7.596259519827648
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:48:GL3d+gG48zmf8grQcPJ27AcYG7i47V28Tl4JZG0FWk8ZHJ:GTd0PmfrrQG28cYG28CEJ
                                                                                                                                                                                                                                                                          MD5:D91299E84355CD8D5A86795A0118B6E9
                                                                                                                                                                                                                                                                          SHA1:7B0F360B775F76C94A12CA48445AA2D2A875701C
                                                                                                                                                                                                                                                                          SHA-256:46011EDE1C147EB2BC731A539B7C047B7EE93E48B9D3C3BA710CE132BBDFAC6B
                                                                                                                                                                                                                                                                          SHA-512:6D11D03F2DF2D931FAC9F47CEDA70D81D51A9116C1EF362D67B7874F91BF20915006F7AF8ECEBAEA59D2DC144536B25EA091CC33C04C9A3808EEFDC69C90E816
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:0...0............@.`.L.^.....0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...210429000000Z..360428235959Z0i1.0...U....US1.0...U....DigiCert, Inc.1A0?..U...8DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA10.."0...*.H.............0........./B.(.x.].9Y...B.3..=..p..&0...h.\..4$..KO.xC........g.RO..W.......>Mp$d....}4}L.W.kC....;....GZ..L.. %............e....I5.=Q..!xE...,.......IpB2......eh..ML..HRh....W]...e...O.,H.V.5........7.....|...2........t..9..`.....1.......#GG...n..m.....jg-.D......;...2Z..j`T.I....\.o.&....8........o.a4\..E(.6*f(_.s.&%....\...L.b.^3........+..6y.....u.e..HP.w....P.F.aX..|..<.(.9....S..G.u0..0.v..[K]taM?..v.X.r.)A...m&vh.A.X..&+..MY.x.J>@G_.Ps..#!Y`.dT..!..8.|f..x8E0.O.cOL....SA|X=G....2...l<.V.........Y0..U0...U.......0.......0...U......h7..;._....a{..e.NB0...U.#..0.......q]dL..g?....O0...U...........0...U.%..0...+.......0w..+........k0i0$..+.....0...http:/

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):727
                                                                                                                                                                                                                                                                          Entropy (8bit):7.534031201200033
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12:5onfZUxc5RlRtBfQOx/hsLzjyNiA6M4SjmFjt5Y1DohqGoz7UcN/YNjoRLUE2lH2:5iCxcdZbxJqjFJ5mDohqocRYN7latn
                                                                                                                                                                                                                                                                          MD5:3AA154C597F0D3EF221B82298CE04F78
                                                                                                                                                                                                                                                                          SHA1:C15D53176E903BFAB12665B3E42D1B9ECCFB54D0
                                                                                                                                                                                                                                                                          SHA-256:B75A76C1C71E981D5299E2A8F85D317D14DA91FD79A615C70EF14876EBC9557D
                                                                                                                                                                                                                                                                          SHA-512:B9B93ED7F99E8B96EFB85A4DC9A8CEE9F7057B87DA9C2A1FE82FE8CD308F89C42E76E9170BB429999E1D985AF7847463B8C60173C44413685472E0B5E2306324
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:0..........0.....+.....0......0...0..........q]dL..g?....O..20241123184215Z0s0q0I0...+........."..;F..=\@ua..........q]dL..g?....O....@.`.L.^........20241123184215Z....20241130184215Z0...*.H................m.iQ...1..L....W..,dJ?..0|.R}......t@.U..6.....q.*...XbF.._+_Q...X.fx.m...J..e.4.Lh.._D!.$.......(T.P._.d...A....&R.?H..#)buHT...a..a.+.D..z...cH...;..\.m....D..R5..k.+ci!=dR.\..z.4q...i.Rj.M...A..=./..J*%?m"..+\....q.D.J.",3.....0p)+.OF.r]..'....}...cN..^8s....v.|O........:.<TK.f.I.....B...=.}sU.Y....E.h...&.....S......C...l..9...&h..H....$]....w....n2n....a5.{..a......|..!v...C..3......s.2.,.......B..{!]...7..}.M[3X*..&.y.................@{.f.Y7*)w..6.dh.b]@...!.c.5...r..7m..

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:Certificate, Version=3
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):1428
                                                                                                                                                                                                                                                                          Entropy (8bit):7.688784034406474
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:24:nIGWnSIGWnSGc9VIyy0KuiUQ+7n0TCDZJCCAyuIqwmCFUZnPQ1LSdT:nIL7LJSRQ+QgAyuxwfynPQmR
                                                                                                                                                                                                                                                                          MD5:78F2FCAA601F2FB4EBC937BA532E7549
                                                                                                                                                                                                                                                                          SHA1:DDFB16CD4931C973A2037D3FC83A4D7D775D05E4
                                                                                                                                                                                                                                                                          SHA-256:552F7BDCF1A7AF9E6CE672017F4F12ABF77240C78E761AC203D1D9D20AC89988
                                                                                                                                                                                                                                                                          SHA-512:BCAD73A7A5AFB7120549DD54BA1F15C551AE24C7181F008392065D1ED006E6FA4FA5A60538D52461B15A12F5292049E929CFFDE15CC400DEC9CDFCA0B36A68DD
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:0...0..x..........W..!2.9...wu\0...*.H........0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40...130801120000Z..380115120000Z0b1.0...U....US1.0...U....DigiCert Inc1.0...U....www.digicert.com1!0...U....DigiCert Trusted Root G40.."0...*.H.............0..........sh..]J<0"0i3..%..!=..Y..).=X.v..{....0....8..V.m...y....._..<R.R....~...W.YUr.h.p..u.js2...D.......t;mq.-... .. .c)-..^N..!a.4...^.[......4@_.zf.w.H.fWW.TX..+.O.0.V..{]..O^.5.1..^......@.y.x...j.8.....7...}...>..p.U.A2...s*n..|!L....u]xf.:1D.3@...ZI...g.'..O9..X..$\F.d..i.v.v=Y]Bv...izH....f.t..K...c....:.=...E%...D.+~....am.3...K...}....!........p,A`..c.D..vb~.....d.3....C....w.....!..T)%.l..RQGt.&..Au.z._.?..A..[..P.1..r."..|Lu?c.!_. Qko....O..E_. ........~.&...i/..-............B0@0...U.......0....0...U...........0...U..........q]dL..g?....O0...*.H..............a.}.l.........dh.V.w.p...J...x\.._...)V.6I]Dc...f.#.=y.mk.T..<.C@..P.R..;...ik.

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1A374813EDB1A6631387E414D3E73232

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):306
                                                                                                                                                                                                                                                                          Entropy (8bit):3.876748924924169
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:6:kKVFlllWsDL6T/lSrs0d5DRAUSW0P3PeXJUwh8lmi36lImJGelN:j/LL+/IrHd51xSW0P3PeXJUZ6NXlN
                                                                                                                                                                                                                                                                          MD5:DFFDC32A4811EDC3FD6C45D8D014E1E7
                                                                                                                                                                                                                                                                          SHA1:A38FD124038C1FF2548E55CF57C53224A85528AB
                                                                                                                                                                                                                                                                          SHA-256:A06BA2DA51569D8F319A083C5C8FCB71568A739BF4570DF773937AE94F44BB7B
                                                                                                                                                                                                                                                                          SHA-512:9E122A168F37BD7A7DD6766B0D0C0EF5A0E53B16D513A0C6FC90FE3A805859D529D21151F984899339B63A7E731B8275D293A7BF22FCC490923025CA1E59DDF8
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:p...... .........=..`>..(.................fM.=....Jv&C....................Jv&C.. .........e..=.. ..."...............h.t.t.p.:././.c.r.l.3...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.l...".6.7.4.1.d.5.5.d.-.1.b.1.9.a."...

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:modified
                                                                                                                                                                                                                                                                          Size (bytes):338
                                                                                                                                                                                                                                                                          Entropy (8bit):3.467955489419957
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:6:kKGPK8dzEJFN+SkQlPlEGYRMY9z+s3Ql2DUevat:OPKqkPlE99SCQl2DUevat
                                                                                                                                                                                                                                                                          MD5:6D7477A2583968FCD752E47AA69A82E5
                                                                                                                                                                                                                                                                          SHA1:864B51A505B937144FBC829E0ADF37C31B630B40
                                                                                                                                                                                                                                                                          SHA-256:46CB4E1A653C33E4A578559F3F56FA406E602377A0413EB53348F375CE6D8EA0
                                                                                                                                                                                                                                                                          SHA-512:5551685BA3C26FA25BE3209F81A9CC059527BE3B6F3934262C99FFC0F31D36CCF2C6836E07517D8A36520405CDF8AF75991E2AB5A9E68A966F5DF3E801672942
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:p...... ........j.G.~...(................................................K...>.. .........p.........$...............h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.d.i.s.a.l.l.o.w.e.d.c.e.r.t.s.t.l...c.a.b...".7.4.6.7.8.7.a.3.f.0.d.9.1.:.0."...

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):400
                                                                                                                                                                                                                                                                          Entropy (8bit):3.949719898813914
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:6:kKoKRlvWhqXlF3smXlRNfOAUMivhClroFzCJCgO3lwuqDnlyQ4hY5isIlQhZgJn:V3Xn31mxMiv8sFzD3quqDkPh8Y2ZM
                                                                                                                                                                                                                                                                          MD5:BC9BD298A88F30C4E05C0AE5665B6A92
                                                                                                                                                                                                                                                                          SHA1:13C35FD7EF8663E791F1702D71CF519704B50087
                                                                                                                                                                                                                                                                          SHA-256:2AB4A16BDA0AF3EF301FDAA4F641824E29E4E6391E1FD2406A4AB33C580A07FA
                                                                                                                                                                                                                                                                          SHA-512:47B97F6A607546611DAE81AAB7C6B9C2D58B9F42B4F80CE1C7079E96835D3211E7D935CB8A94EF546EB97FA4F15ABDCEA6A4EEB919AAACB2E102836236FE90F0
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:p...... .........Z).Y>..(................~...=....o.ZC....................o.ZC.. ........E.NW>.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.3.x.L.4.L.Q.L.X.D.R.D.M.9.P.6.6.5.T.W.4.4.2.v.r.s.U.Q.Q.U.R.e.u.i.r.%.2.F.S.S.y.4.I.x.L.V.G.L.p.6.c.h.n.f.N.t.y.A.8.C.E.A.6.b.G.I.7.5.0.C.3.n.7.9.t.Q.4.g.h.A.G.F.o.%.3.D...

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):328
                                                                                                                                                                                                                                                                          Entropy (8bit):3.247897867253901
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:6:kKddL9UswD8HGsL+N+SkQlPlEGYRMY9z+4KlDA3RUebT3:+DImsLNkPlE99SNxAhUe/3
                                                                                                                                                                                                                                                                          MD5:C2513811C77C39A63BED9AF3CC04CCF3
                                                                                                                                                                                                                                                                          SHA1:392CD55AC5B9228FBFC3AEBF2B5FF2385AC59887
                                                                                                                                                                                                                                                                          SHA-256:2B4431DA81FD9387A948B5A8D093FCF8DC837996FFA7CD8ED61C2C42265BAFCA
                                                                                                                                                                                                                                                                          SHA-512:1029EB7421A1876DE444EABD9CE2708E6AF9FE00F9F9240892D6EAFA90B5EBD27D54F45F67385CCE92CF76D8D96AE040EA9909C123AA5C036931234572D491FD
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:p...... ........*.#8_>..(....................................................... ........G..@.......&......X........h.t.t.p.:././.c.t.l.d.l...w.i.n.d.o.w.s.u.p.d.a.t.e...c.o.m./.m.s.d.o.w.n.l.o.a.d./.u.p.d.a.t.e./.v.3./.s.t.a.t.i.c./.t.r.u.s.t.e.d.r./.e.n./.a.u.t.h.r.o.o.t.s.t.l...c.a.b...".a.7.2.8.2.e.b.4.0.b.1.d.a.1.:.0."...

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):308
                                                                                                                                                                                                                                                                          Entropy (8bit):3.2050592946567047
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:6:kKdnfzNcalgRAOAUSW0P3PeXJUwh8lmi3Y:stWOxSW0P3PeXJUZY
                                                                                                                                                                                                                                                                          MD5:BC7F7E4309F1BA87F9CA3BFE2F60956A
                                                                                                                                                                                                                                                                          SHA1:B85AB4FE501CCFDEB99F3E49B9D81F45B6FD8820
                                                                                                                                                                                                                                                                          SHA-256:F34677E3C0506E32863CFD056685F16DCFB23869858C62EBD2DDF28D4562226F
                                                                                                                                                                                                                                                                          SHA-512:133A125FEF9F257EDF24761203A227621931C5E725E8671E90DEFBC297639BFA587C6B7DFD98AF0AF048607EC994280C5DE405F98BD824416F769CE0E4391573
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:p...... ...........C^>..(....................................................... ........}.-@@......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.G.4.C.o.d.e.S.i.g.n.i.n.g.R.S.A.4.0.9.6.S.H.A.3.8.4.2.0.2.1.C.A.1...c.r.t...".6.0.9.0.3.0.2.2.-.6.b.4."...

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):412
                                                                                                                                                                                                                                                                          Entropy (8bit):3.959411032432051
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:6:kKo0PbtlYsjfOAUMivhClroFfJSUm2SQwItJqB3UgPSgakZdPolRMnOlAkrn:geGqmxMiv8sFBSfamB3rbFURMOlAkr
                                                                                                                                                                                                                                                                          MD5:781F2FB0B959E61D9231D3DE77B9A81F
                                                                                                                                                                                                                                                                          SHA1:F4105888E84CDE36D708D9302F19D7B2CFD3AE36
                                                                                                                                                                                                                                                                          SHA-256:F14D7C0863171E709902F853E53E7ED654DD79619CE3100A5FA6D8120B83B5BD
                                                                                                                                                                                                                                                                          SHA-512:DE9AB96A0EF99933A88AEB4FF12C839F7BA99882FCD39843D6717428C9F9DDA6AAD901A7DE5E25FBABEDEE0C3D5A6F60EC9E694476131A72C69D207408A7D093
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:p...... ....(.....Q.Z>..(.................gj.=....K.WC....................K.WC.. ..........BW>.. ...................h.t.t.p.:././.o.c.s.p...d.i.g.i.c.e.r.t...c.o.m./.M.F.E.w.T.z.B.N.M.E.s.w.S.T.A.J.B.g.U.r.D.g.M.C.G.g.U.A.B.B.T.f.I.s.%.2.B.L.j.D.t.G.w.Q.0.9.X.E.B.1.Y.e.q.%.2.B.t.X.%.2.B.B.g.Q.Q.U.7.N.f.j.g.t.J.x.X.W.R.M.3.y.5.n.P.%.2.B.e.6.m.K.4.c.D.0.8.C.E.A.i.t.Q.L.J.g.0.p.x.M.n.1.7.N.q.b.2.T.r.t.k.%.3.D...

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):254
                                                                                                                                                                                                                                                                          Entropy (8bit):3.0528988669712294
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:6:kKlM/hLDcJgjcalgRAOAUSW0PTKDXMOXISKlUp:upLYS4tWOxSW0PAMsZp
                                                                                                                                                                                                                                                                          MD5:F2A1B3E898DC5293A387C937CD3B0F11
                                                                                                                                                                                                                                                                          SHA1:D0121398FCC8014883977F4A2F34644B5889610A
                                                                                                                                                                                                                                                                          SHA-256:92E9654C60C58F9E8D7617B0EDB1DA3D418B7195FB706E1694912E915D595C48
                                                                                                                                                                                                                                                                          SHA-512:471795AD2A1ABA5897B7952762343FF689F35FC7BF743FEC7BD7A6EA584DA2EFFC6D8653649A37A373A0E1BAC38E834C1BDB445311403030FAE6A620779B79DE
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:p...... ....l...O..^>..(....................................................... ............n......................h.t.t.p.:././.c.a.c.e.r.t.s...d.i.g.i.c.e.r.t...c.o.m./.D.i.g.i.C.e.r.t.T.r.u.s.t.e.d.R.o.o.t.G.4...c.r.t...".5.a.2.8.6.4.1.7.-.5.9.4."...

                                                                                                                                                                                                                                                                          C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                          File Type:CSV text
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):1944
                                                                                                                                                                                                                                                                          Entropy (8bit):5.343420056309075
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:48:MxHKQg8mHDp684YHKGSI6oPtHTHhAHKKkhHNpaHKlT44HKmHKe60:iqzCYqGSI6oPtzHeqKkhtpaqZ44qmq10
                                                                                                                                                                                                                                                                          MD5:437E4DCFC04CB727093C5232EA15F856
                                                                                                                                                                                                                                                                          SHA1:81B949390201F3B70AE2375518A0FFD329310837
                                                                                                                                                                                                                                                                          SHA-256:5EADB9774A50B6AD20D588FDA58F5A42B2E257A0AA26832B41F8EA008C1EB96B
                                                                                                                                                                                                                                                                          SHA-512:0332C7E5205CF9221172473A841284487ACC111780A58557231FCDE72A5EDB7E7E3EF6C87AB9682A688BC24992A74027F930267B541039BD8757EEF4E2F51A0E
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\b187b7f31cee3e87b56c8edca55324e0\System.ni.dll",0..3,"System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Serv759bfb78#\e2ca4e2ddffdc0d0bda3f2ca65249790\System.ServiceProcess.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Core\31326613607f69254f3284ec964796c8\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Configuration\915c1ee906bd8dfc15398a4bab4acb48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.

                                                                                                                                                                                                                                                                          C:\Windows\Temp\~DF104FF017AE6A1734.TMP

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):20480
                                                                                                                                                                                                                                                                          Entropy (8bit):1.559314386709612
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:48:bJ8PhluRc06WXJeFT5SsxqISoedGPdGftrpDStedGPdGRubeDn:Ahl11FTcssISo6D
                                                                                                                                                                                                                                                                          MD5:40B833DF799A52BB524C0E591ED0F533
                                                                                                                                                                                                                                                                          SHA1:CF6A16340CE8DF8C4B16F733169659E8A7FB61D8
                                                                                                                                                                                                                                                                          SHA-256:B2680AB32E171663A1CF9138A0CFDF0F6F8170980153D5F711CEAFCDAB0AAEC6
                                                                                                                                                                                                                                                                          SHA-512:D2BFD58192B7889A17AE41446497D6B8EC7C66BF8CE88E772137C7B9E9B00075CE84F0A985C05A453ABA5A4A3E896D05CB4C438735EF826F010C8800974C9D50
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF104FF017AE6A1734.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Temp\~DF2F5CF61F78B7C72C.TMP

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):512
                                                                                                                                                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3::
                                                                                                                                                                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Temp\~DF355F8EAD7962411B.TMP

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):69632
                                                                                                                                                                                                                                                                          Entropy (8bit):0.14093626297357859
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:48:CnruubmStedGPdGeqISoedGPdGftrpds:irHyLI6s
                                                                                                                                                                                                                                                                          MD5:A2169A3B918CD7CFB54B9C367ED7FA0A
                                                                                                                                                                                                                                                                          SHA1:06748417B5F0D25E05E2D7E77918F65412C47D4E
                                                                                                                                                                                                                                                                          SHA-256:BCD966B2882837206406EAF4967B2A738E51DAB8B482BD8BD18D1E951776CD3E
                                                                                                                                                                                                                                                                          SHA-512:0EF4D44B5CA2274F575BB4BE1D6DC82DFD3AF3EFDBE5E6FD0B9A33D2E1C9F889EA832AE4C3A03FA21C574CFB20F80E1C5A745C7183909F5E91E097E55F2D04F8
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF355F8EAD7962411B.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Temp\~DF46B34C8187FE8435.TMP

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):32768
                                                                                                                                                                                                                                                                          Entropy (8bit):1.2489838428987425
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:48:vBCgduksPveFXJfT5SsxqISoedGPdGftrpDStedGPdGRubeDn:Vdr3TcssISo6D
                                                                                                                                                                                                                                                                          MD5:7A4AA9323F156AE9DDB41843DB3D3D85
                                                                                                                                                                                                                                                                          SHA1:99F8FAE29D7F7E91B7774BB80310409DEE6E485C
                                                                                                                                                                                                                                                                          SHA-256:1E12BF6D49E5AEDC123CE62B07302F4636255617A0030230C22DB8395F185822
                                                                                                                                                                                                                                                                          SHA-512:99F666C2FE531A64D38ED6A922CC74B841C801F149DCD77EEB11B18CDE4C584FF6E0DE66A61A29BC74044B8452E29A03689DCACBF18FF09B01EF64DE1410E6C8
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF46B34C8187FE8435.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Temp\~DF8B31338E51F5C954.TMP

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):512
                                                                                                                                                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3::
                                                                                                                                                                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Temp\~DF9363D06770D8B98C.TMP

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):32768
                                                                                                                                                                                                                                                                          Entropy (8bit):1.2489838428987425
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:48:vBCgduksPveFXJfT5SsxqISoedGPdGftrpDStedGPdGRubeDn:Vdr3TcssISo6D
                                                                                                                                                                                                                                                                          MD5:7A4AA9323F156AE9DDB41843DB3D3D85
                                                                                                                                                                                                                                                                          SHA1:99F8FAE29D7F7E91B7774BB80310409DEE6E485C
                                                                                                                                                                                                                                                                          SHA-256:1E12BF6D49E5AEDC123CE62B07302F4636255617A0030230C22DB8395F185822
                                                                                                                                                                                                                                                                          SHA-512:99F666C2FE531A64D38ED6A922CC74B841C801F149DCD77EEB11B18CDE4C584FF6E0DE66A61A29BC74044B8452E29A03689DCACBF18FF09B01EF64DE1410E6C8
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DF9363D06770D8B98C.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Temp\~DFA7A5AB13A50B57AB.TMP

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):512
                                                                                                                                                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3::
                                                                                                                                                                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Temp\~DFA7BDA1A0996A04C0.TMP

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):32768
                                                                                                                                                                                                                                                                          Entropy (8bit):0.07013945828024086
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:6:2/9LG7iVCnLG7iVrKOzPLHKOfcZdxdcZDvEqVky6lf1:2F0i8n0itFzDHFfMxdcZDvWd
                                                                                                                                                                                                                                                                          MD5:ADF856FC6DB34A6D6D80A2A55BA099F6
                                                                                                                                                                                                                                                                          SHA1:BCBF8E6AFA3DBA95BF0B15BD57FB58AE72D2ACD2
                                                                                                                                                                                                                                                                          SHA-256:607F6E53D06503F3382024F2147C22084E565672A094BC9A6390DF49BD8C7D86
                                                                                                                                                                                                                                                                          SHA-512:E501942C4E0548CB8747EAD9359E642FCF0D0C50E2EF2B36995B8AD596645CB1BEDF0D30CEC31164E8E0024E43952697E46B9DF0DD45D0056F92C029BBF4A2B0
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Temp\~DFC8300526DF6F0731.TMP

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):32768
                                                                                                                                                                                                                                                                          Entropy (8bit):1.2489838428987425
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:48:vBCgduksPveFXJfT5SsxqISoedGPdGftrpDStedGPdGRubeDn:Vdr3TcssISo6D
                                                                                                                                                                                                                                                                          MD5:7A4AA9323F156AE9DDB41843DB3D3D85
                                                                                                                                                                                                                                                                          SHA1:99F8FAE29D7F7E91B7774BB80310409DEE6E485C
                                                                                                                                                                                                                                                                          SHA-256:1E12BF6D49E5AEDC123CE62B07302F4636255617A0030230C22DB8395F185822
                                                                                                                                                                                                                                                                          SHA-512:99F666C2FE531A64D38ED6A922CC74B841C801F149DCD77EEB11B18CDE4C584FF6E0DE66A61A29BC74044B8452E29A03689DCACBF18FF09B01EF64DE1410E6C8
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFC8300526DF6F0731.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Temp\~DFD18BD80E6999656A.TMP

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):20480
                                                                                                                                                                                                                                                                          Entropy (8bit):1.559314386709612
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:48:bJ8PhluRc06WXJeFT5SsxqISoedGPdGftrpDStedGPdGRubeDn:Ahl11FTcssISo6D
                                                                                                                                                                                                                                                                          MD5:40B833DF799A52BB524C0E591ED0F533
                                                                                                                                                                                                                                                                          SHA1:CF6A16340CE8DF8C4B16F733169659E8A7FB61D8
                                                                                                                                                                                                                                                                          SHA-256:B2680AB32E171663A1CF9138A0CFDF0F6F8170980153D5F711CEAFCDAB0AAEC6
                                                                                                                                                                                                                                                                          SHA-512:D2BFD58192B7889A17AE41446497D6B8EC7C66BF8CE88E772137C7B9E9B00075CE84F0A985C05A453ABA5A4A3E896D05CB4C438735EF826F010C8800974C9D50
                                                                                                                                                                                                                                                                          Malicious:true
                                                                                                                                                                                                                                                                          Yara Hits:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Windows\Temp\~DFD18BD80E6999656A.TMP, Author: Joe Security
                                                                                                                                                                                                                                                                          Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Temp\~DFEB1960233CE81796.TMP

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):512
                                                                                                                                                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3::
                                                                                                                                                                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          C:\Windows\Temp\~DFF9D2FD9DAB3A6013.TMP

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          File Type:data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):512
                                                                                                                                                                                                                                                                          Entropy (8bit):0.0
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:3::
                                                                                                                                                                                                                                                                          MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                                                                                                                                                          SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                                                                                                                                                          SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                                                                                                                                                          SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          \Device\ConDrv

                                                                                                                                                                                                                                                                          Download File
                                                                                                                                                                                                                                                                          Process:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                          File Type:JSON data
                                                                                                                                                                                                                                                                          Category:dropped
                                                                                                                                                                                                                                                                          Size (bytes):455
                                                                                                                                                                                                                                                                          Entropy (8bit):5.4098175149033825
                                                                                                                                                                                                                                                                          Encrypted:false
                                                                                                                                                                                                                                                                          SSDEEP:12:Y0rsShlOS0+3dYRni2xOilZ81Wf3rTPaoLcj:Y0rBBtGbn81wXP6j
                                                                                                                                                                                                                                                                          MD5:936D8AB4B50246000C756E62DF0DB6A2
                                                                                                                                                                                                                                                                          SHA1:7A94D33FCDD3259FF23BFCA5272CD058A5A27175
                                                                                                                                                                                                                                                                          SHA-256:1FB74F9EEDB200610FE044B2D1E060D1F99B8BB8B083C86ACDA2E59FFA48CB6E
                                                                                                                                                                                                                                                                          SHA-512:F09FC221809BD3072F4CA7DE10D539225FFEB01C57254638EB70700E93B7849A392E09F7115617D41FA879B66E3A37E27698A0BDB54A7FF05C95E1717FBBA382
                                                                                                                                                                                                                                                                          Malicious:false
                                                                                                                                                                                                                                                                          Preview:{"PackageName":"AgentPackageAgentInformation","ExecutableCommandArgs":["minimalIdentification"],"Data":{"AccountId":"001Q300000KANvwIAH","UserLogin":"Salim.Jami@korektel.com","MachineName":"302494","CustomerId":"1","FolderId":"","IsMinimalIdentification":true,"UniqueMachineIdentifier":"GQPFSF/rWwswhIqkBWFeUzFqC57CzsIROEEzal59mv0=","OsType":"Windows"},"CommandId":"bba6296f-630c-4728-badb-dcac66c37446","AgentId":"1db40f91-941c-4bcb-961d-1fe2982e82b6"}..

                                                                                                                                                                                                                                                                          Static File Info

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
                                                                                                                                                                                                                                                                          Entropy (8bit):7.878667565018582
                                                                                                                                                                                                                                                                          TrID:
                                                                                                                                                                                                                                                                          • Microsoft Windows Installer (60509/1) 57.88%
                                                                                                                                                                                                                                                                          • ClickyMouse macro set (36024/1) 34.46%
                                                                                                                                                                                                                                                                          • Generic OLE2 / Multistream Compound File (8008/1) 7.66%
                                                                                                                                                                                                                                                                          File name:Digital.msi
                                                                                                                                                                                                                                                                          File size:2'994'176 bytes
                                                                                                                                                                                                                                                                          MD5:391a7dcf2ff4af032a8de9b5bfc5b7d9
                                                                                                                                                                                                                                                                          SHA1:22e2261c6e65f3d95406e66c77d3942d51790417
                                                                                                                                                                                                                                                                          SHA256:e652634f90f23553d56fa937227c039f8769f9509051a434a14990785a8ab57f
                                                                                                                                                                                                                                                                          SHA512:5adf800adc213f114a282b0ff29e33e14b70e66dc685a31826e497a6344961de1b7dbf5412b3539eb6ee5abc223be8209953352fd6f9a4f2cbaaafc3f4770c44
                                                                                                                                                                                                                                                                          SSDEEP:49152:q+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:q+lUlz9FKbsodq0YaH7ZPxMb8tT
                                                                                                                                                                                                                                                                          TLSH:F6D523127584483AE37B0A358D7AD6A05E7DFE605B70CA8E9308741E2E705C1AB76F73
                                                                                                                                                                                                                                                                          File Content Preview:........................>......................................................................................................................................................................................................................................

                                                                                                                                                                                                                                                                          File Icon

                                                                                                                                                                                                                                                                          Icon Hash:2d2e3797b32b2b99

                                                                                                                                                                                                                                                                          Network Behavior

                                                                                                                                                                                                                                                                          Suricata IDS Alerts

                                                                                                                                                                                                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                                                                                                                                                          2024-11-24T11:16:27.502084+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.114976013.232.67.198443TCP
                                                                                                                                                                                                                                                                          2024-11-24T11:16:30.809349+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.114977613.232.67.198443TCP
                                                                                                                                                                                                                                                                          2024-11-24T11:17:15.973636+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.114988213.232.67.198443TCP
                                                                                                                                                                                                                                                                          2024-11-24T11:17:26.823639+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.114991313.232.67.198443TCP
                                                                                                                                                                                                                                                                          2024-11-24T11:17:34.035403+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.114993413.232.67.198443TCP
                                                                                                                                                                                                                                                                          2024-11-24T11:17:40.734107+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.114995413.232.67.198443TCP
                                                                                                                                                                                                                                                                          2024-11-24T11:17:43.589048+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.114996413.232.67.198443TCP
                                                                                                                                                                                                                                                                          2024-11-24T11:17:47.631742+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.114997713.232.67.198443TCP
                                                                                                                                                                                                                                                                          2024-11-24T11:17:56.523900+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.115001513.232.67.198443TCP
                                                                                                                                                                                                                                                                          2024-11-24T11:18:05.733018+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.115005213.232.67.198443TCP
                                                                                                                                                                                                                                                                          2024-11-24T11:18:11.737494+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.115007313.232.67.198443TCP

                                                                                                                                                                                                                                                                          Network Port Distribution

                                                                                                                                                                                                                                                                          TCP Packets

                                                                                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:21.356754065 CET49751443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:21.356794119 CET4434975113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:21.356864929 CET49751443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:21.369363070 CET49751443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:21.369381905 CET4434975113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:21.427164078 CET49752443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:21.427206039 CET4434975213.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:21.427300930 CET49752443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:21.435023069 CET49752443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:21.435060024 CET4434975213.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:23.691669941 CET4434975113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:23.691740990 CET49751443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:23.696016073 CET49751443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:23.696022987 CET4434975113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:23.697309971 CET4434975113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:23.698446989 CET49751443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:23.743340969 CET4434975113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:23.814790964 CET4434975213.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:23.814857006 CET49752443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:23.816869974 CET49752443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:23.816884995 CET4434975213.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:23.817138910 CET4434975213.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:23.818054914 CET49752443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:23.859340906 CET4434975213.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:24.213835955 CET4434975113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:24.213900089 CET4434975113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:24.214145899 CET49751443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:24.219882965 CET49751443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:24.344229937 CET4434975213.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:24.344304085 CET4434975213.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:24.344371080 CET49752443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:24.349025011 CET49752443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:24.505115032 CET49760443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:24.505146027 CET4434976013.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:24.505208969 CET49760443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:24.506661892 CET49760443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:24.506685972 CET4434976013.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:24.510639906 CET49761443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:24.510684013 CET4434976113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:24.510755062 CET49761443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:24.510993958 CET49761443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:24.511008024 CET4434976113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:26.900660992 CET4434976113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:26.904881001 CET49761443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:26.904896021 CET4434976113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:26.968310118 CET4434976013.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:26.970345020 CET49760443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:26.970365047 CET4434976013.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:27.438488007 CET4434976113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:27.438513994 CET4434976113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:27.438611031 CET49761443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:27.438621998 CET4434976113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:27.438633919 CET4434976113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:27.438673973 CET49761443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:27.495366096 CET49761443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:27.502100945 CET4434976013.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:27.502170086 CET4434976013.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:27.502226114 CET49760443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:27.532620907 CET49760443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:27.907085896 CET49776443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:27.907118082 CET4434977613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:27.907166958 CET49776443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:27.908704996 CET49776443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:27.908715963 CET4434977613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:27.909214020 CET49777443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:27.909250975 CET4434977713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:27.909317017 CET49777443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:27.909564972 CET49777443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:27.909578085 CET4434977713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:28.055562973 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:28.055593967 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:28.055653095 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:28.055918932 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:28.055931091 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:29.913592100 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:29.913727045 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:29.915747881 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:29.915759087 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:29.916177034 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:29.917227983 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:29.959332943 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:30.282623053 CET4434977613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:30.284048080 CET49776443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:30.284065962 CET4434977613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:30.284425020 CET4434977713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:30.285397053 CET49777443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:30.285449982 CET4434977713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:30.624015093 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:30.665479898 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:30.665504932 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:30.665566921 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:30.665606976 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:30.665658951 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:30.809356928 CET4434977613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:30.809429884 CET4434977613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:30.809484005 CET49776443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:30.810126066 CET49776443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:30.859930038 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:30.859976053 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:30.860124111 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:30.860142946 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:30.860255957 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:30.908972025 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:30.909002066 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:30.909152985 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:30.909162045 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:30.909245014 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.049032927 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.049093962 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.049211979 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.049248934 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.049330950 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.078891039 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.078934908 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.079056978 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.079056978 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.079071999 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.079124928 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.112613916 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.112657070 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.112725973 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.112734079 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.112768888 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.112790108 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.146492004 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.146539927 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.146678925 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.146693945 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.146789074 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.249461889 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.249530077 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.249624014 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.249665976 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.249686003 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.249732018 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.269320011 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.269368887 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.269412041 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.269422054 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.269462109 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.269462109 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.290806055 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.290858030 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.290882111 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.290893078 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.290914059 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.290936947 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.296483994 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.296556950 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.317012072 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.317065954 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.317106962 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.317125082 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.317142963 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.317159891 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.335059881 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.335108995 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.335144997 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.335155010 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.335182905 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.335192919 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.357013941 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.357064962 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.357181072 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.357201099 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.357247114 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.374608040 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.374656916 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.374730110 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.374756098 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.374830961 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.443888903 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.443941116 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.443985939 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.444000959 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.444030046 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.444051027 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.457590103 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.457638025 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.457726955 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.457735062 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.457842112 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.468878031 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.468924046 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.469031096 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.469042063 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.469135046 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.481717110 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.481762886 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.481861115 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.481873989 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.481950045 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.490729094 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.490781069 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.490823984 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.490833998 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.490860939 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.490880966 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.497541904 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.497592926 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.497646093 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.497656107 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.497685909 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.497699976 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.504978895 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.505027056 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.505134106 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.505148888 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.505213022 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.511614084 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.511662960 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.511749029 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.511758089 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.511846066 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.642451048 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.642505884 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.642610073 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.642627954 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.642721891 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.643934965 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.643997908 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.644006014 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.644045115 CET44349778108.158.75.4192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.644047976 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.644088984 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.644365072 CET49778443192.168.2.11108.158.75.4
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:12.930773020 CET49882443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:12.930818081 CET4434988213.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:12.930922031 CET49882443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:12.935117006 CET49882443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:12.935132980 CET4434988213.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:15.316824913 CET4434988213.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:15.363733053 CET49882443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:15.450136900 CET49882443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:15.450167894 CET4434988213.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:15.973757029 CET4434988213.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:15.973936081 CET4434988213.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:15.974016905 CET49882443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:15.974901915 CET49882443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:15.976315975 CET49891443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:15.976361036 CET4434989113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:15.976459980 CET49891443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:15.976878881 CET49891443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:15.976892948 CET4434989113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:18.439877033 CET4434989113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:18.488701105 CET49891443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:18.523056030 CET49891443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:18.523075104 CET4434989113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:19.059873104 CET4434989113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:19.113719940 CET49891443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:19.113729000 CET4434989113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:19.117110968 CET49891443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:19.117228031 CET4434989113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:19.117325068 CET49891443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:23.881825924 CET4434977713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:23.881843090 CET4434977713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:23.881896019 CET4434977713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:23.881913900 CET49777443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:23.881985903 CET49777443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:23.882638931 CET49777443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:23.896459103 CET49913443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:23.896487951 CET4434991313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:23.896559000 CET49913443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:23.899542093 CET49914443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:23.899558067 CET4434991413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:23.899626017 CET49914443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:23.899940968 CET49914443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:23.899955988 CET4434991413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:23.903115988 CET49913443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:23.903130054 CET4434991313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:26.293771029 CET4434991313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:26.293864965 CET49913443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:26.298815012 CET49913443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:26.298820972 CET4434991313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:26.299076080 CET4434991313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:26.301852942 CET49913443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:26.347337961 CET4434991313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:26.354885101 CET4434991413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:26.355036020 CET49914443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:26.387554884 CET49914443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:26.387582064 CET4434991413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:26.388042927 CET4434991413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:26.389149904 CET49914443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:26.435323000 CET4434991413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:26.823690891 CET4434991313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:26.823761940 CET4434991313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:26.823921919 CET49913443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:26.824321032 CET49913443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:31.064400911 CET49914443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:31.064555883 CET4434991413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:31.064631939 CET49914443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:31.084194899 CET49933443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:31.084224939 CET4434993313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:31.084305048 CET49933443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:31.085797071 CET49933443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:31.085812092 CET4434993313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:31.113171101 CET49934443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:31.113210917 CET4434993413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:31.113282919 CET49934443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:31.113967896 CET49934443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:31.113984108 CET4434993413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:33.509227037 CET4434993413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:33.509387016 CET49934443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:33.511646986 CET49934443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:33.511668921 CET4434993413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:33.512006998 CET4434993413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:33.512974024 CET49934443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:33.559322119 CET4434993413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:34.035465956 CET4434993413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:34.035571098 CET4434993413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:34.035689116 CET49934443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:34.036243916 CET49934443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:34.343411922 CET4434993313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:34.343561888 CET49933443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:34.345135927 CET49933443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:34.345143080 CET4434993313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:34.345978975 CET4434993313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:34.346812963 CET49933443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:34.391326904 CET4434993313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:34.868165016 CET4434993313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:34.913167953 CET49933443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:34.913180113 CET4434993313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:34.913645029 CET49933443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:34.913762093 CET4434993313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:34.913835049 CET49933443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:34.914541960 CET49945443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:34.914606094 CET4434994513.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:34.914691925 CET49945443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:34.914973021 CET49945443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:34.914989948 CET4434994513.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:37.301287889 CET4434994513.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:37.301415920 CET49945443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:37.303230047 CET49945443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:37.303239107 CET4434994513.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:37.303514957 CET4434994513.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:37.304377079 CET49945443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:37.351330996 CET4434994513.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:37.829855919 CET4434994513.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:37.829943895 CET4434994513.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:37.830029011 CET49945443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:37.830625057 CET49945443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:37.834405899 CET49954443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:37.834455967 CET4434995413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:37.834670067 CET49954443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:37.834944963 CET49954443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:37.834959030 CET4434995413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:37.838812113 CET49955443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:37.838866949 CET4434995513.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:37.838989973 CET49955443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:37.842797995 CET49955443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:37.842813015 CET4434995513.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:40.210514069 CET4434995413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:40.212650061 CET49954443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:40.212671995 CET4434995413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:40.223858118 CET4434995513.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:40.226017952 CET49955443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:40.226035118 CET4434995513.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:40.734138012 CET4434995413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:40.734220982 CET4434995413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:40.734289885 CET49954443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:40.735064030 CET49954443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:40.749126911 CET4434995513.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:40.749157906 CET4434995513.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:40.749231100 CET49955443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:40.749233961 CET4434995513.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:40.749305964 CET49955443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:40.749948025 CET49955443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:40.761318922 CET49964443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:40.761359930 CET4434996413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:40.761419058 CET49964443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:40.762183905 CET49964443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:40.762201071 CET4434996413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:40.762762070 CET49965443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:40.762792110 CET4434996513.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:40.762849092 CET49965443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:40.763187885 CET49965443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:40.763197899 CET4434996513.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:43.071372032 CET4434996413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:43.073156118 CET49964443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:43.073194981 CET4434996413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:43.137897015 CET4434996513.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:43.139563084 CET49965443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:43.139597893 CET4434996513.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:43.589080095 CET4434996413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:43.589159966 CET4434996413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:43.589210987 CET49964443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:43.589768887 CET49964443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:44.521955967 CET49965443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:44.522078991 CET4434996513.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:44.522192955 CET49965443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:44.525505066 CET49976443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:44.525540113 CET4434997613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:44.525916100 CET49976443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:44.526586056 CET49976443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:44.526599884 CET4434997613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:44.534807920 CET49977443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:44.534837961 CET4434997713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:44.534980059 CET49977443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:44.535640001 CET49977443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:44.535653114 CET4434997713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:45.323596001 CET49976443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:45.367337942 CET4434997613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:45.401237011 CET49981443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:45.401278973 CET4434998113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:45.401633024 CET49981443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:45.402339935 CET49981443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:45.402354956 CET4434998113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:46.896229982 CET49981443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:46.899561882 CET49986443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:46.899612904 CET4434998613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:46.899682999 CET49986443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:46.900799990 CET49986443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:46.900825024 CET4434998613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:46.943336010 CET4434998113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:46.966232061 CET4434997613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:46.966290951 CET49976443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:46.966429949 CET49976443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:46.981688023 CET4434997713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:46.981785059 CET49977443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:47.092401028 CET49977443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:47.092423916 CET4434997713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:47.092897892 CET4434997713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:47.094801903 CET49977443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:47.135327101 CET4434997713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:47.568620920 CET49986443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:47.569133043 CET49988443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:47.569179058 CET4434998813.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:47.569261074 CET49988443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:47.569586992 CET49988443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:47.569617987 CET4434998813.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:47.611340046 CET4434998613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:47.631777048 CET4434997713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:47.631874084 CET4434997713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:47.632004976 CET49977443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:47.633588076 CET49977443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:47.635114908 CET49989443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:47.635157108 CET4434998913.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:47.635216951 CET49989443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:47.635479927 CET49989443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:47.635492086 CET4434998913.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:47.779167891 CET4434998113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:47.779334068 CET49981443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:47.782892942 CET49981443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:49.252950907 CET4434998613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:49.253060102 CET49986443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:49.253060102 CET49986443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:49.755263090 CET4434998813.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:49.787714005 CET49988443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:49.787733078 CET4434998813.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:49.953083038 CET4434998913.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:49.954432964 CET49989443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:49.954473019 CET4434998913.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:50.351042986 CET4434998813.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:50.470828056 CET4434998913.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:50.470902920 CET4434998913.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:50.470976114 CET49989443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:50.471601009 CET49989443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:50.472817898 CET50000443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:50.472861052 CET4435000013.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:50.472940922 CET50000443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:50.473166943 CET50000443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:50.473181009 CET4435000013.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:50.504544973 CET49988443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:50.504558086 CET4434998813.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:50.505563021 CET49988443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:50.505642891 CET4434998813.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:50.505858898 CET49988443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:50.505863905 CET4434998813.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:50.505964994 CET49988443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:50.506720066 CET50001443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:50.506761074 CET4435000113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:50.506871939 CET50001443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:50.507232904 CET50001443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:50.507245064 CET4435000113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:52.804136038 CET4435000013.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:52.804218054 CET50000443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:52.805824041 CET50000443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:52.805836916 CET4435000013.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:52.806081057 CET4435000013.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:52.807682991 CET50000443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:52.851332903 CET4435000013.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:52.957189083 CET4435000113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:52.957262993 CET50001443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:52.959148884 CET50001443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:52.959160089 CET4435000113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:52.959475040 CET4435000113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:52.960479975 CET50001443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:53.007332087 CET4435000113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:53.329488993 CET4435000013.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:53.329586983 CET4435000013.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:53.329633951 CET50000443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:53.330492973 CET50000443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:53.461034060 CET50015443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:53.461046934 CET4435001513.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:53.461106062 CET50015443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:53.461550951 CET50015443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:53.461554050 CET4435001513.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:53.501024961 CET4435000113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:53.501133919 CET4435000113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:53.501185894 CET50001443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:53.501962900 CET50001443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:53.506079912 CET50016443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:53.506130934 CET4435001613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:53.506184101 CET50016443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:53.507019043 CET50016443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:53.507045031 CET4435001613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:53.533149958 CET50016443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:53.555809975 CET50017443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:53.555871010 CET4435001713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:53.555939913 CET50017443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:53.556718111 CET50017443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:53.556730986 CET4435001713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:53.579334974 CET4435001613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:55.923125982 CET4435001613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:55.923130035 CET4435001513.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:55.923304081 CET4435001613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:55.927328110 CET4435001613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:55.927369118 CET50016443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:55.927369118 CET50016443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:55.934883118 CET50016443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:55.969176054 CET4435001713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:55.974802017 CET50017443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:55.982279062 CET50017443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:55.982309103 CET4435001713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:55.982667923 CET4435001713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:55.984601021 CET50017443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:55.984750986 CET50015443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:55.984814882 CET4435001513.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:56.027338982 CET4435001713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:56.523927927 CET4435001513.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:56.524000883 CET4435001513.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:56.524188995 CET50015443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:56.524861097 CET50015443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:56.526882887 CET50027443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:56.526913881 CET4435002713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:56.527158976 CET50027443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:56.530872107 CET50027443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:56.530880928 CET4435002713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:56.556318045 CET4435001713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:56.613979101 CET50017443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:56.614012003 CET4435001713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:56.614669085 CET50017443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:56.614769936 CET4435001713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:56.614898920 CET50017443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:56.618973017 CET50028443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:56.619012117 CET4435002813.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:56.619123936 CET50028443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:56.621310949 CET50028443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:56.621324062 CET4435002813.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:58.977006912 CET4435002713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:58.977080107 CET50027443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:58.984313965 CET50027443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:58.984330893 CET4435002713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:58.984671116 CET4435002713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:58.985681057 CET50027443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:59.017369986 CET4435002813.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:59.017465115 CET50028443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:59.019258976 CET50028443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:59.019274950 CET4435002813.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:59.019553900 CET4435002813.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:59.020627022 CET50028443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:59.031333923 CET4435002713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:59.063333988 CET4435002813.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:59.558521986 CET4435002713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:59.596757889 CET4435002813.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:59.613950968 CET50027443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:59.613974094 CET4435002713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:59.614880085 CET50027443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:59.614983082 CET4435002713.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:59.615042925 CET50027443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:59.616977930 CET50038443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:59.617021084 CET4435003813.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:59.617166996 CET50038443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:59.618872881 CET50038443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:59.618882895 CET4435003813.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:59.763911009 CET50028443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:59.763925076 CET4435002813.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:59.804519892 CET4435002813.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:59.806329966 CET50028443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:59.946789026 CET50028443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:59.947381020 CET50041443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:59.947504044 CET4435004113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:59.947601080 CET50041443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:59.950704098 CET50041443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:59.950745106 CET4435004113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:02.312763929 CET4435003813.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:02.314275026 CET50038443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:02.314289093 CET4435003813.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:02.435972929 CET4435004113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:02.437402964 CET50041443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:02.437436104 CET4435004113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:02.833683014 CET4435003813.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:02.833761930 CET4435003813.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:02.833805084 CET50038443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:02.834346056 CET50038443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:02.835537910 CET50052443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:02.835585117 CET4435005213.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:02.835653067 CET50052443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:02.836848021 CET50052443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:02.836859941 CET4435005213.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:02.969429016 CET4435004113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:02.969516039 CET4435004113.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:02.969597101 CET50041443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:02.970118999 CET50041443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:02.971031904 CET50053443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:02.971082926 CET4435005313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:02.971162081 CET50053443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:02.971434116 CET50053443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:02.971448898 CET4435005313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:05.207905054 CET4435005213.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:05.212270021 CET50052443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:05.212285042 CET4435005213.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:05.411247015 CET4435005313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:05.414944887 CET50053443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:05.414975882 CET4435005313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:05.733048916 CET4435005213.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:05.733134031 CET4435005213.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:05.733179092 CET50052443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:05.733808041 CET50052443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:05.734682083 CET50064443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:05.734710932 CET4435006413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:05.734853029 CET50064443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:05.735058069 CET50064443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:05.735073090 CET4435006413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:05.993352890 CET4435005313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:06.051645041 CET50053443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:06.051672935 CET4435005313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:06.052078009 CET50053443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:06.052165031 CET4435005313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:06.052222967 CET50053443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:06.061237097 CET50066443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:06.061269999 CET4435006613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:06.061337948 CET50066443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:06.061731100 CET50066443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:06.061742067 CET4435006613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:08.113320112 CET4435006413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:08.113418102 CET50064443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:08.210150957 CET50064443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:08.210165977 CET4435006413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:08.210422039 CET4435006413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:08.211385012 CET50064443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:08.255327940 CET4435006413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:08.483237982 CET4435006613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:08.483351946 CET50066443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:08.484668970 CET50066443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:08.484678030 CET4435006613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:08.484950066 CET4435006613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:08.485974073 CET50066443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:08.531337976 CET4435006613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:08.733649015 CET4435006413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:08.733736038 CET4435006413.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:08.733849049 CET50064443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:08.734297037 CET50064443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:08.734675884 CET50073443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:08.734729052 CET4435007313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:08.734863043 CET50073443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:08.735027075 CET50073443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:08.735039949 CET4435007313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:09.008702040 CET4435006613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:09.008783102 CET4435006613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:09.008892059 CET50066443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:09.009169102 CET50066443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:09.009382010 CET50076443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:09.009416103 CET4435007613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:09.009511948 CET50076443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:09.009865046 CET50076443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:09.009875059 CET4435007613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:11.194854975 CET4435007313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:11.198982000 CET50073443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:11.199022055 CET4435007313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:11.385070086 CET4435007613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:11.390974998 CET50076443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:11.390999079 CET4435007613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:11.737530947 CET4435007313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:11.785805941 CET50073443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:11.785836935 CET4435007313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:11.786209106 CET50073443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:11.786282063 CET4435007313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:11.786334991 CET50073443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:11.786582947 CET50083443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:11.786621094 CET4435008313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:11.786706924 CET50083443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:11.786850929 CET50083443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:11.786859035 CET4435008313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:11.966881990 CET4435007613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:11.967032909 CET4435007613.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:11.967077017 CET50076443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:11.967493057 CET50076443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:14.216063976 CET4435008313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:14.216183901 CET50083443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:14.217892885 CET50083443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:14.217902899 CET4435008313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:14.218141079 CET4435008313.232.67.198192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:14.219099045 CET50083443192.168.2.1113.232.67.198
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:14.263324976 CET4435008313.232.67.198192.168.2.11

                                                                                                                                                                                                                                                                          UDP Packets

                                                                                                                                                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:06.271639109 CET5966753192.168.2.111.1.1.1
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:17.911989927 CET6206153192.168.2.111.1.1.1
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:21.210195065 CET4942953192.168.2.111.1.1.1
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:21.349793911 CET53494291.1.1.1192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:24.459285975 CET5488253192.168.2.111.1.1.1
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:27.917076111 CET6249753192.168.2.111.1.1.1
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:28.054260969 CET53624971.1.1.1192.168.2.11
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:39.025439978 CET5915853192.168.2.111.1.1.1
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:20.943227053 CET5633953192.168.2.111.1.1.1
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:31.111285925 CET4967653192.168.2.111.1.1.1
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:36.318201065 CET5056453192.168.2.111.1.1.1
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:47.993196964 CET5842553192.168.2.111.1.1.1
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:57.507038116 CET5115553192.168.2.111.1.1.1
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:58.006921053 CET5285553192.168.2.111.1.1.1

                                                                                                                                                                                                                                                                          DNS Queries

                                                                                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:06.271639109 CET192.168.2.111.1.1.10xf699Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:17.911989927 CET192.168.2.111.1.1.10x55aStandard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:21.210195065 CET192.168.2.111.1.1.10x590eStandard query (0)ps.pndsn.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:24.459285975 CET192.168.2.111.1.1.10x88e2Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:27.917076111 CET192.168.2.111.1.1.10xa610Standard query (0)ps.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:39.025439978 CET192.168.2.111.1.1.10x5f86Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:20.943227053 CET192.168.2.111.1.1.10x5e8Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:31.111285925 CET192.168.2.111.1.1.10x960dStandard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:36.318201065 CET192.168.2.111.1.1.10x8e56Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:47.993196964 CET192.168.2.111.1.1.10xc8bfStandard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:57.507038116 CET192.168.2.111.1.1.10x1a6aStandard query (0)agent-api.atera.comA (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:58.006921053 CET192.168.2.111.1.1.10x1a96Standard query (0)agent-api.atera.comA (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                                          DNS Answers

                                                                                                                                                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:06.693268061 CET1.1.1.1192.168.2.110xf699No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:13.574007988 CET1.1.1.1192.168.2.110xfaf0No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:13.574007988 CET1.1.1.1192.168.2.110xfaf0No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:14.977938890 CET1.1.1.1192.168.2.110xf0b4No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:14.977938890 CET1.1.1.1192.168.2.110xf0b4No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:16.531161070 CET1.1.1.1192.168.2.110xd3f4No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:16.531161070 CET1.1.1.1192.168.2.110xd3f4No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:16.577203035 CET1.1.1.1192.168.2.110xaeaaNo error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:16.577203035 CET1.1.1.1192.168.2.110xaeaaNo error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:18.238473892 CET1.1.1.1192.168.2.110x55aNo error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:21.349793911 CET1.1.1.1192.168.2.110x590eNo error (0)ps.pndsn.com13.232.67.198A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:21.349793911 CET1.1.1.1192.168.2.110x590eNo error (0)ps.pndsn.com13.232.67.199A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:24.829252005 CET1.1.1.1192.168.2.110x88e2No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:28.054260969 CET1.1.1.1192.168.2.110xa610No error (0)ps.atera.comd25btwd9wax8gu.cloudfront.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:28.054260969 CET1.1.1.1192.168.2.110xa610No error (0)d25btwd9wax8gu.cloudfront.net108.158.75.4A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:28.054260969 CET1.1.1.1192.168.2.110xa610No error (0)d25btwd9wax8gu.cloudfront.net108.158.75.46A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:28.054260969 CET1.1.1.1192.168.2.110xa610No error (0)d25btwd9wax8gu.cloudfront.net108.158.75.12A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:28.054260969 CET1.1.1.1192.168.2.110xa610No error (0)d25btwd9wax8gu.cloudfront.net108.158.75.93A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.942692041 CET1.1.1.1192.168.2.110x94b3No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:31.942692041 CET1.1.1.1192.168.2.110x94b3No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:16:39.162445068 CET1.1.1.1192.168.2.110x5f86No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:16.681932926 CET1.1.1.1192.168.2.110xe847No error (0)windowsupdatebg.s.llnwi.net178.79.238.0A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:16.681932926 CET1.1.1.1192.168.2.110xe847No error (0)windowsupdatebg.s.llnwi.net178.79.238.128A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:21.082031965 CET1.1.1.1192.168.2.110x5e8No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:31.249332905 CET1.1.1.1192.168.2.110x960dNo error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:36.652014971 CET1.1.1.1192.168.2.110x8e56No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:48.130458117 CET1.1.1.1192.168.2.110xc8bfNo error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:57.644207001 CET1.1.1.1192.168.2.110x1a6aNo error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:17:58.340538025 CET1.1.1.1192.168.2.110x1a96No error (0)agent-api.atera.comagentsapi.trafficmanager.netCNAME (Canonical name)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:04.520729065 CET1.1.1.1192.168.2.110x5360No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                                                                                                                                                                                                                                                          Nov 24, 2024 11:18:04.520729065 CET1.1.1.1192.168.2.110x5360No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                                                                                                                                                                                                                                                          HTTP Request Dependency Graph

                                                                                                                                                                                                                                                                          • ps.pndsn.com
                                                                                                                                                                                                                                                                          • ps.atera.com

                                                                                                                                                                                                                                                                          HTTPS Proxied Packets

                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          0192.168.2.114975113.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:16:23 UTC183OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2babaf61-1d7c-4750-9d20-d0f3040d8dce&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                                                                                          2024-11-24 10:16:24 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:16:23 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Content-Length: 19
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:16:24 UTC19INData Raw: 5b 31 37 33 32 34 34 33 33 38 33 39 36 32 35 33 32 30 5d
                                                                                                                                                                                                                                                                          Data Ascii: [17324433839625320]


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          1192.168.2.114975213.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:16:23 UTC364OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e064dce1-78e9-4ac2-9264-1eb708dbc685&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                                                                                          2024-11-24 10:16:24 UTC277INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:16:24 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 45
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:16:24 UTC45INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 33 38 33 39 38 34 31 35 32 39 22 2c 22 72 22 3a 33 31 7d 2c 22 6d 22 3a 5b 5d 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"t":{"t":"17324433839841529","r":31},"m":[]}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          2192.168.2.114976113.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:16:26 UTC362OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d7610938-0dca-439e-ac79-774f3c321e97&tr=31&tt=17324433839841529&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:16:27 UTC279INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:16:27 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 1879
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:16:27 UTC1460INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 33 38 36 32 32 30 31 31 37 35 22 2c 22 72 22 3a 33 31 7d 2c 22 6d 22 3a 5b 7b 22 61 22 3a 22 32 22 2c 22 66 22 3a 30 2c 22 69 22 3a 22 38 32 39 31 62 66 32 61 2d 33 31 61 32 2d 34 66 34 37 2d 38 62 64 36 2d 31 35 30 39 64 65 66 30 64 64 39 38 22 2c 22 70 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 33 38 36 32 32 30 31 31 37 35 22 2c 22 72 22 3a 34 33 7d 2c 22 6b 22 3a 22 73 75 62 2d 63 2d 61 30 32 63 65 63 61 38 2d 61 39 35 38 2d 31 31 65 35 2d 62 64 38 63 2d 30 36 31 39 66 38 39 34 35 61 34 66 22 2c 22 63 22 3a 22 31 64 62 34 30 66 39 31 2d 39 34 31 63 2d 34 62 63 62 2d 39 36 31 64 2d 31 66 65 32 39 38 32 65 38 32 62 36 22 2c 22 64 22 3a 7b 22 43 6f 6d 6d 61 6e 64 49 64 22 3a 22 65 66 32 35 30 38 63
                                                                                                                                                                                                                                                                          Data Ascii: {"t":{"t":"17324433862201175","r":31},"m":[{"a":"2","f":0,"i":"8291bf2a-31a2-4f47-8bd6-1509def0dd98","p":{"t":"17324433862201175","r":43},"k":"sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f","c":"1db40f91-941c-4bcb-961d-1fe2982e82b6","d":{"CommandId":"ef2508c
                                                                                                                                                                                                                                                                          2024-11-24 10:16:27 UTC419INData Raw: 5a 4d 5a 6f 6c 32 35 39 59 72 48 52 30 53 52 33 57 4a 31 6b 53 38 4c 69 62 49 72 48 66 79 35 66 48 43 48 74 72 35 6e 5c 75 30 30 32 42 77 75 37 39 63 56 79 4e 71 32 77 72 5a 61 39 6e 4d 68 46 59 52 63 43 74 36 57 41 55 79 70 64 36 35 53 7a 77 5a 70 31 36 54 35 6a 74 47 4f 56 31 4b 79 52 55 42 46 64 6b 62 38 64 6e 52 34 71 5c 75 30 30 32 42 6b 63 67 46 77 42 46 4a 33 69 54 61 6f 36 59 35 30 59 30 36 31 37 66 6e 56 62 6e 53 74 30 4e 43 57 79 73 77 73 65 7a 70 41 66 6f 6e 38 62 6f 67 3d 3d 22 2c 22 50 61 63 6b 61 67 65 4e 61 6d 65 22 3a 22 41 67 65 6e 74 50 61 63 6b 61 67 65 41 67 65 6e 74 49 6e 66 6f 72 6d 61 74 69 6f 6e 22 2c 22 50 61 63 6b 61 67 65 45 78 65 63 75 74 61 62 6c 65 50 61 72 61 6d 65 74 65 72 73 22 3a 22 6d 69 6e 69 6d 61 6c 49 64 65 6e 74 69
                                                                                                                                                                                                                                                                          Data Ascii: ZMZol259YrHR0SR3WJ1kS8LibIrHfy5fHCHtr5n\u002Bwu79cVyNq2wrZa9nMhFYRcCt6WAUypd65SzwZp16T5jtGOV1KyRUBFdkb8dnR4q\u002BkcgFwBFJ3iTao6Y50Y0617fnVbnSt0NCWyswsezpAfon8bog==","PackageName":"AgentPackageAgentInformation","PackageExecutableParameters":"minimalIdenti


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          3192.168.2.114976013.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:16:26 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c825a3a8-4a36-49ab-b7b0-21c3250f6f58&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:16:27 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:16:27 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Content-Length: 19
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:16:27 UTC19INData Raw: 5b 31 37 33 32 34 34 33 33 38 37 32 34 33 36 33 39 34 5d
                                                                                                                                                                                                                                                                          Data Ascii: [17324433872436394]


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          4192.168.2.1149778108.158.75.44438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:16:29 UTC212OUTGET /agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?1eP7cXfFABHn+w1g9FFL9eB+/iH5iRCUNriQ2oXlm3Xo4LhMTCSEx95ciwNo/nGQ HTTP/1.1
                                                                                                                                                                                                                                                                          Host: ps.atera.com
                                                                                                                                                                                                                                                                          Connection: Keep-Alive
                                                                                                                                                                                                                                                                          2024-11-24 10:16:30 UTC671INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Content-Type: application/octet-stream
                                                                                                                                                                                                                                                                          Content-Length: 384542
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Content-MD5: SgmofSAE2sSwBofpyfFQNg==
                                                                                                                                                                                                                                                                          Last-Modified: Tue, 12 Nov 2024 07:13:54 GMT
                                                                                                                                                                                                                                                                          ETag: 0x8DD02E9910FA268
                                                                                                                                                                                                                                                                          Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
                                                                                                                                                                                                                                                                          x-ms-request-id: 4f2b2192-601e-007b-57cf-3c3f56000000
                                                                                                                                                                                                                                                                          x-ms-version: 2009-09-19
                                                                                                                                                                                                                                                                          x-ms-lease-status: unlocked
                                                                                                                                                                                                                                                                          x-ms-blob-type: BlockBlob
                                                                                                                                                                                                                                                                          Date: Sat, 23 Nov 2024 11:11:18 GMT
                                                                                                                                                                                                                                                                          Vary: Accept-Encoding
                                                                                                                                                                                                                                                                          X-Cache: Hit from cloudfront
                                                                                                                                                                                                                                                                          Via: 1.1 fc56b8a676000a5893378ee9d2b55f78.cloudfront.net (CloudFront)
                                                                                                                                                                                                                                                                          X-Amz-Cf-Pop: BAH53-P2
                                                                                                                                                                                                                                                                          X-Amz-Cf-Id: GjObXcaa_ePHXFy4aYZFROqseeVrIIUdQ5Z5ZcDrEMiGV-4sINCS1Q==
                                                                                                                                                                                                                                                                          Age: 83111
                                                                                                                                                                                                                                                                          2024-11-24 10:16:30 UTC16384INData Raw: 50 4b 03 04 2d 00 09 08 08 00 b9 39 6c 59 b5 ba a1 7d ff ff ff ff ff ff ff ff 3d 00 14 00 41 67 65 6e 74 50 61 63 6b 61 67 65 41 67 65 6e 74 49 6e 66 6f 72 6d 61 74 69 6f 6e 2f 41 67 65 6e 74 50 61 63 6b 61 67 65 41 67 65 6e 74 49 6e 66 6f 72 6d 61 74 69 6f 6e 2e 65 78 65 01 00 10 00 28 b6 02 00 00 00 00 00 df 1b 01 00 00 00 00 00 e3 12 a7 01 2c f1 1b de 31 c7 8a 39 3e 6b 73 27 36 d0 73 2b 61 ce ce e3 d2 b6 cb 71 21 62 f9 4e 18 e5 1e a6 ed c3 a5 43 de 14 0c f6 81 ff 20 24 ff d5 3a 2d 75 b6 26 8e d9 8b a4 ae e1 2e bd 40 7e 84 03 06 21 73 f7 1f ae 94 a0 7d ab a6 99 3b a0 b8 5f e3 30 9a 41 f2 ec e6 d0 a8 20 53 e8 c2 17 fd 08 50 b9 08 97 28 2f f1 4c 63 d3 c6 76 04 21 b5 c3 d7 bb be b4 9c 43 48 ed cb 7f 13 28 f5 12 6a cb 1b 54 89 c5 9d 34 6d 19 74 79 dc 8f 06
                                                                                                                                                                                                                                                                          Data Ascii: PK-9lY}=AgentPackageAgentInformation/AgentPackageAgentInformation.exe(,19>ks'6s+aq!bNC $:-u&.@~!s};_0A SP(/Lcv!CH(jT4mty
                                                                                                                                                                                                                                                                          2024-11-24 10:16:30 UTC16384INData Raw: f0 b6 9f 02 d6 76 cc ce d9 09 94 a1 26 eb 74 90 a7 fe 9a e0 1d b1 f9 72 42 b0 b7 ff fe 39 89 7c f5 1f 06 8d 10 42 56 d9 13 08 e2 1e d8 65 d9 67 d6 9e a5 ed 34 11 20 6e 6f 77 99 f4 2e 5e ce 9b 4b d2 4f d5 54 f2 c0 de c0 75 c7 a5 c9 62 7e 38 d8 05 2e fc aa 67 fd f2 6a 55 d4 a9 b7 f3 02 91 a2 50 a9 9a b0 9b e0 1b 6f 22 1a af 80 b3 8a 65 25 55 67 b6 03 d4 4b 74 22 db 33 7e e5 c3 d2 a3 dc 40 ea bf d2 9b df de 09 3b 4b 7a 72 a5 c5 6a 55 ce b1 f2 83 54 49 a2 b1 e5 7e da 7c 9a 01 ff 90 0d 77 4d 90 4b a1 5a b2 74 ce aa 9d 81 e9 70 f0 82 30 43 fd fa df fd 3f 8d 48 61 bd 8f fb 5f 89 9a 56 2b 3e 95 86 7a 34 65 a0 6b 9c 17 3d 00 14 62 41 52 f2 ef 9c f8 4a 81 1f 31 38 9e 82 42 67 c8 7b 02 78 04 0b 69 83 eb da 25 7a a1 0e 8b c8 51 a6 6e 66 9d a4 38 8c 58 97 12 7f b0 15
                                                                                                                                                                                                                                                                          Data Ascii: v&trB9|BVeg4 now.^KOTub~8.gjUPo"e%UgKt"3~@;KzrjUTI~|wMKZtp0C?Ha_V+>z4ek=bARJ18Bg{xi%zQnf8X
                                                                                                                                                                                                                                                                          2024-11-24 10:16:30 UTC16384INData Raw: 96 fe 85 11 dd 8d d3 ae f0 08 67 57 7f 06 96 e6 35 8a 97 3a 21 9f 00 cc 25 cf d0 e7 7d 2a dd cd 56 2b 0d 3e 05 db 84 f2 84 83 d4 65 bc 9b 45 1b 69 99 82 c3 a0 18 05 36 a9 e7 4b 8a e5 2a bd 46 58 3c a4 a1 2e c5 e3 da b5 a5 f9 84 58 d4 30 fd 03 3e 84 a3 a8 84 e1 e8 6b 8a a1 b5 49 57 f8 59 c2 a0 80 c8 dd 72 c6 94 85 aa c7 bd 26 ca e2 66 dc 3a ec 7f 98 99 42 18 6c 98 4b ba 4e d8 42 f2 2f fd bc 21 89 4a 50 84 b3 9d fa d5 3e d9 3c 20 91 7d 2e d8 fe c8 1e be 85 63 db 49 11 d7 f7 7b 8f 7a c2 39 6f 7e 7d 1a 86 98 1f da 6b 4a 7e b3 0f d8 99 0b c6 a2 11 e0 f5 32 de f1 9b d6 5f fa 27 80 4f 6e a5 84 70 f6 bc 0a 43 29 4b 6e 3e 00 0c 68 18 16 ab 3e d7 f4 97 5a 14 d0 9d d2 4e 01 fb 2f 0a ca 31 8f 2f a4 fa 21 4e 96 52 db 42 2d 8e d8 18 b5 0a 62 a1 4e a6 56 89 f7 26 8d b6
                                                                                                                                                                                                                                                                          Data Ascii: gW5:!%}*V+>eEi6K*FX<.X0>kIWYr&f:BlKNB/!JP>< }.cI{z9o~}kJ~2_'OnpC)Kn>h>ZN/1/!NRB-bNV&
                                                                                                                                                                                                                                                                          2024-11-24 10:16:31 UTC16384INData Raw: 41 64 50 ca 35 e9 de 0b e0 37 6e 26 d7 3d 22 10 9a 01 a9 57 87 60 df 1a 50 85 78 b5 42 15 26 dc 70 93 89 14 67 fd 25 32 3a 19 22 ba 15 0d b7 92 1f 35 b7 2c 1b c7 dd d3 5f 5e a7 5f c1 51 30 e0 af 93 60 8e 6b 7b a5 87 43 30 6a de b3 3e b9 61 20 e4 ed 0c d6 9c 19 e5 75 32 fc b5 bf e3 09 0a bd 79 92 61 6e 93 46 5d 56 71 c8 be 81 e9 75 7d c7 be 6d fb a5 3a 4f 7c 4d ba 40 2d 48 98 df b3 e5 56 4d 23 23 d4 16 69 23 e7 29 35 4c 5d fa a7 57 d7 fa e5 de 49 87 2e c5 67 a2 b6 fb 45 58 c5 ac be 75 ac fb a6 b1 8a 78 72 7e 53 80 d2 6e 40 36 e0 7d b1 a6 ae e6 bd 67 64 fb 6e 13 37 be d4 c5 1f 5f 70 c6 15 7f 5a ac c0 1e d2 ec 11 d3 43 7e 1b 8a e4 56 7d 30 bf c0 e4 ad 74 4b bf 6d 71 a7 15 a0 b9 d3 d8 90 bf f1 4c 1c f4 3e 8a ec 5f 95 27 b8 e2 39 8e 30 b1 5b f9 8b 87 b8 f3 d7
                                                                                                                                                                                                                                                                          Data Ascii: AdP57n&="W`PxB&pg%2:"5,_^_Q0`k{C0j>a u2yanF]Vqu}m:O|M@-HVM##i#)5L]WI.gEXuxr~Sn@6}gdn7_pZC~V}0tKmqL>_'90[
                                                                                                                                                                                                                                                                          2024-11-24 10:16:31 UTC16384INData Raw: 58 e8 f6 df 2e 03 6a 01 b6 45 ae d4 d7 bc 99 a9 9a 2f 45 ff bd 30 84 22 38 ce 84 98 80 72 18 6d 55 e6 9e b7 86 f7 7e eb 80 84 fd 55 b0 dd 1c b2 c3 2f 75 d6 aa 41 55 9b 79 09 94 d1 66 6f 7b 4f 9c 19 47 1c d9 f0 09 e2 eb c3 cc b2 52 52 aa ce 00 8a 38 ad d6 83 bb 63 67 fd e4 da a0 26 76 75 45 a4 62 cc 43 42 35 02 1d 02 ad 6a 31 0c 7f 1d f4 ca 90 1b 28 c8 48 e4 a1 5c 00 15 f6 b2 e7 37 c8 55 01 3a 6f e3 bc b8 61 92 d2 ac df 4c df e2 ff 5e 04 40 26 5d e9 e7 98 06 a5 7c a5 a6 d3 64 9f 35 75 b6 82 90 93 70 4d 42 4d fd 3a 43 63 ec 28 c0 75 d6 13 28 f8 41 cc 56 3f d3 d1 9a 6c 8b 35 b5 22 b3 23 4f 4c 6b cb 27 42 c0 5a 57 c6 3e 30 b5 ab c5 7e eb 53 f5 ca 11 b1 54 b0 f6 56 55 f4 fb 08 c3 74 45 7f 54 c9 8c e6 d2 a5 11 05 03 a5 e6 13 b2 6c 62 59 b2 eb 43 fa 81 6f a6 4d
                                                                                                                                                                                                                                                                          Data Ascii: X.jE/E0"8rmU~U/uAUyfo{OGRR8cg&vuEbCB5j1(H\7U:oaL^@&]|d5upMBM:Cc(u(AV?l5"#OLk'BZW>0~STVUtETlbYCoM
                                                                                                                                                                                                                                                                          2024-11-24 10:16:31 UTC16384INData Raw: 34 04 1b b1 1b 98 28 77 ac f8 5c 44 d7 13 89 b4 12 7c 2b 83 cb 67 ff b5 2a 5e 56 56 e2 53 0a 2a ef ba 29 c4 00 b7 0f 27 b1 b1 28 fc 14 c9 88 7e 9d 33 eb f2 e8 a1 ae 2a 95 d4 86 32 1a 8a 8b 55 36 73 6f 5d d2 a2 24 d7 45 d6 14 a3 96 1b af 00 09 69 fb e3 90 04 ca 93 5d 3d c2 96 c4 d3 1a 49 d9 ce be e6 dc 05 1d 81 b7 71 1a dd 76 3d 01 eb 04 8a 52 b7 e3 b3 c5 d2 b3 48 a4 11 18 28 66 82 90 d9 40 cb 61 2f 59 d0 6f 04 1b ff aa 95 c8 51 55 73 03 fb d7 30 b5 1e b5 e5 a4 f4 f0 02 d1 19 d5 f7 05 0e 27 3c 1a 62 ef 50 7f f8 d7 0f d3 ac 93 d1 11 47 68 85 7d 69 f7 10 2f b2 b7 33 84 92 b7 0d ad 44 7f a7 77 41 9e e7 c5 68 1a 5a 79 72 69 b4 db 16 f7 a5 e6 2a 39 ad 95 99 ec 51 f3 8c 62 93 60 12 de 11 b9 a1 52 25 15 ab c2 7c 84 e6 51 9a 9e e6 32 04 c4 84 74 26 1c 49 48 19 6c
                                                                                                                                                                                                                                                                          Data Ascii: 4(w\D|+g*^VVS*)'(~3*2U6so]$Ei]=Iqv=RH(f@a/YoQUs0'<bPGh}i/3DwAhZyri*9Qb`R%|Q2t&IHl
                                                                                                                                                                                                                                                                          2024-11-24 10:16:31 UTC16384INData Raw: 8f 68 fe 5c cb 10 c2 02 77 6c 58 d4 0f 50 0d 4b 37 fb cb 34 a9 b8 d2 16 48 fd 24 14 c0 43 16 7d 0f 9b 1c 93 73 25 5a 14 80 e4 3c 21 72 00 2e 53 2c e9 75 b6 96 76 cc a0 1f 5e 00 07 13 20 0d c1 4d 4a 19 ff d4 d1 b1 30 88 13 ca 85 22 84 a8 a7 b8 68 55 bd 22 44 e6 85 b4 63 28 60 b6 02 72 98 af a9 77 90 fb 71 ac 63 20 74 73 d1 0d e0 51 bb ab 29 13 cb b7 a3 94 49 fe 86 18 54 63 a4 42 95 aa d4 79 93 21 74 87 21 99 eb 3d 75 15 e2 ac 3d 4c a4 ac ff a9 22 a4 48 fa d6 6f a6 28 e0 74 00 0d 0f 73 77 e4 0d 80 aa 17 1e 10 53 a0 16 be b0 77 d6 b4 c0 31 95 2b 56 cd ba 57 9f 03 26 1a 9e 66 41 62 b6 02 b2 70 32 4b ad 49 2c 49 c3 0e e7 45 4e 88 28 25 83 84 8a a9 08 6b 7e d0 7b db a0 d6 c5 41 7d eb 29 8a 69 a5 c1 0c f6 1b b6 bd 6d 5e 48 29 d4 bf 09 d8 ed e4 70 7e 52 1b 44 4c
                                                                                                                                                                                                                                                                          Data Ascii: h\wlXPK74H$C}s%Z<!r.S,uv^ MJ0"hU"Dc(`rwqc tsQ)ITcBy!t!=u=L"Ho(tswSw1+VW&fAbp2KI,IEN(%k~{A})im^H)p~RDL
                                                                                                                                                                                                                                                                          2024-11-24 10:16:31 UTC16384INData Raw: b0 35 f1 5b e1 55 55 2d 1b 11 8e 47 4c bb 01 07 f0 15 83 68 42 8a ee 1e 04 4e 89 f0 53 fa f4 c4 da a7 79 48 d4 5b 49 a5 ea 32 74 69 78 4f c3 3c 93 11 5a ff 50 78 79 7d 49 47 a1 32 5f 5c 4a 03 22 3a 9c 28 29 f4 ca d1 1a b4 7e ad ca 19 87 83 b6 fb 62 8a f5 b1 e7 f5 7e f3 dd bd 49 30 aa a3 c3 74 e9 88 c6 89 72 13 da 50 29 ad 2a 3b d5 f6 eb cd 58 97 62 7c f0 be d6 b6 a9 65 3b dc 4f 3f 8d d9 de 62 c3 a7 21 d0 7e 66 d5 84 b6 78 12 a4 11 aa 61 ef 8d 88 39 21 02 09 a6 5b 1c d2 65 a3 c8 75 53 5d a2 04 c7 1b 89 12 6d f3 61 70 b4 58 ab 08 f9 c1 9f d7 14 c3 cf 94 95 e4 9d 18 30 76 c6 84 e5 51 0f c8 78 ed 6d 07 3c 75 8f 12 86 dd 73 3b 78 55 69 ab 26 b2 88 e6 ff 0f 50 4b 74 4a f3 a8 00 09 3f 29 7c ee 82 1d 8b 30 84 76 04 b1 54 67 67 36 f1 21 64 00 4b 4c 2a ae a8 0f c7
                                                                                                                                                                                                                                                                          Data Ascii: 5[UU-GLhBNSyH[I2tixO<ZPxy}IG2_\J":()~b~I0trP)*;Xb|e;O?b!~fxa9![euS]mapX0vQxm<us;xUi&PKtJ?)|0vTgg6!dKL*
                                                                                                                                                                                                                                                                          2024-11-24 10:16:31 UTC16384INData Raw: 0f 64 e2 97 e6 9c a6 43 b6 e6 f9 03 7c 3f f5 ee ef ba d6 ba fc a9 84 75 3d a4 d7 11 44 68 c3 51 93 fe 5b 78 63 bc 4e c2 8b 6b ed 1c df 16 05 9d a9 d6 3b 35 36 6f df 78 f2 8b 7c 92 37 32 20 72 fc 74 5b cd b7 9f f6 c5 c8 1f 25 7a 9f 93 48 a0 75 b5 b3 48 8e 82 04 a6 8e 2c 2f 22 3f 18 43 97 d1 70 4a 09 61 c3 63 cc 98 d7 84 23 30 a2 ef 5a 59 30 55 ad ef db bb 6c de 17 81 16 60 65 98 e5 20 e0 df d8 b6 91 7b e2 7c 52 dc 91 c6 ab 18 8b 94 8d 2b 80 74 e8 04 4a 91 ff 7e 1b 70 55 d6 8f 16 9b 7d 20 dc 9c fa 74 7c 61 43 dc 0a 77 4c 33 df 7d e5 1b 71 d9 1d c7 ce 62 e8 a6 be d0 e2 e9 2d a6 de 4b 1d 3a 5a 34 8b 75 64 26 a8 9c df 5c 66 6b 58 b3 1a ea ef f0 3d 0a cc c3 41 f3 b8 d8 97 c5 74 e6 6d 59 74 4e 97 27 66 61 57 1b 95 66 47 d5 91 f2 f3 a6 c8 b9 66 19 96 82 4e b6 2d
                                                                                                                                                                                                                                                                          Data Ascii: dC|?u=DhQ[xcNk;56ox|72 rt[%zHuH,/"?CpJac#0ZY0Ul`e {|R+tJ~pU} t|aCwL3}qb-K:Z4ud&\fkX=AtmYtN'faWfGfN-
                                                                                                                                                                                                                                                                          2024-11-24 10:16:31 UTC16384INData Raw: 2f 65 e0 c1 e4 ee de 4d e6 a2 91 de 1e 1c 23 17 63 e2 18 30 70 0d bb b4 a1 da ec 25 b2 11 14 2f 0d 9a 0b 2c 64 7a bd 4d 22 56 35 34 fb e8 c4 b8 42 1e 1e 20 06 56 f3 8e 3f 44 11 57 65 43 88 92 3c 24 8a 8f 18 71 8a dd 12 12 89 c8 7e 6a 8f 2c 29 56 7c fe ea e2 00 63 99 97 fe a7 9c 30 ac 6c e3 2c 72 36 83 0d 90 44 8c ca d2 a2 62 a9 9c e8 0c 9a ce 6e a0 39 f7 0f bc 09 3c 53 5d e6 15 33 5e 64 51 2c dc 55 87 9c 8c 8e 12 f7 95 5b d7 7a 8f 04 cb d1 3e d5 ea e4 24 41 ed c8 b9 f8 47 a9 27 51 79 eb 63 f5 3d 15 86 91 16 05 d7 35 fd 1c 2e ca 8b 87 a5 24 ea 10 8d 79 c7 61 52 cd 56 af d3 fe 8c ea 2f 71 fa d7 39 85 31 d2 f8 0c 04 2f 74 55 2a 18 21 7f 9b 5a 22 f3 8b af 6c 8c 5e 95 bc bd ea ff 07 59 a7 9c 35 a1 38 5b d3 0a 85 cf ad cc 2e 88 3a f5 d1 c4 0e 9e 92 36 55 eb 56
                                                                                                                                                                                                                                                                          Data Ascii: /eM#c0p%/,dzM"V54B V?DWeC<$q~j,)V|c0l,r6Dbn9<S]3^dQ,U[z>$AG'Qyc=5.$yaRV/q91/tU*!Z"l^Y58[.:6UV


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          5192.168.2.114977613.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:16:30 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0950ed73-74e9-4e9c-8f6e-bd3943c07a92&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:16:30 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:16:30 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Content-Length: 19
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:16:30 UTC19INData Raw: 5b 31 37 33 32 34 34 33 33 39 30 35 34 37 39 34 35 30 5d
                                                                                                                                                                                                                                                                          Data Ascii: [17324433905479450]


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          6192.168.2.114977713.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:16:30 UTC362OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=21b3579c-1a7e-42af-89a3-d62561119c3f&tr=31&tt=17324433862201175&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:23 UTC279INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:23 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 1889
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:23 UTC1889INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 34 33 34 34 39 37 39 38 32 22 2c 22 72 22 3a 33 31 7d 2c 22 6d 22 3a 5b 7b 22 61 22 3a 22 32 22 2c 22 66 22 3a 30 2c 22 69 22 3a 22 30 65 65 65 35 35 62 64 2d 35 36 38 61 2d 34 62 64 62 2d 38 62 62 37 2d 38 65 62 39 37 30 33 62 37 30 39 63 22 2c 22 70 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 34 33 34 34 39 37 39 38 32 22 2c 22 72 22 3a 34 32 7d 2c 22 6b 22 3a 22 73 75 62 2d 63 2d 61 30 32 63 65 63 61 38 2d 61 39 35 38 2d 31 31 65 35 2d 62 64 38 63 2d 30 36 31 39 66 38 39 34 35 61 34 66 22 2c 22 63 22 3a 22 31 64 62 34 30 66 39 31 2d 39 34 31 63 2d 34 62 63 62 2d 39 36 31 64 2d 31 66 65 32 39 38 32 65 38 32 62 36 22 2c 22 64 22 3a 7b 22 43 6f 6d 6d 61 6e 64 49 64 22 3a 22 34 62 37 32 34 34 36
                                                                                                                                                                                                                                                                          Data Ascii: {"t":{"t":"17324434434497982","r":31},"m":[{"a":"2","f":0,"i":"0eee55bd-568a-4bdb-8bb7-8eb9703b709c","p":{"t":"17324434434497982","r":42},"k":"sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f","c":"1db40f91-941c-4bcb-961d-1fe2982e82b6","d":{"CommandId":"4b72446


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          7192.168.2.114988213.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:15 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=f0169ba0-1470-42de-a8c0-d3acdded414b&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:15 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:15 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Content-Length: 19
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:15 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 33 35 37 32 34 39 30 33 31 5d
                                                                                                                                                                                                                                                                          Data Ascii: [17324434357249031]


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          8192.168.2.114989113.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:18 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=81ad481d-fe32-40f1-a575-ff3213b02a54&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:19 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:18 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 55
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                          Age: 0
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:19 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          9192.168.2.114991313.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:26 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b56d0227-452e-4f76-a77a-378f095d9d38&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:26 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:26 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Content-Length: 19
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:26 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 34 36 35 37 34 39 30 33 37 5d
                                                                                                                                                                                                                                                                          Data Ascii: [17324434465749037]


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          10192.168.2.114991413.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:26 UTC362OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=948125fe-e3cf-42ab-ba34-976a3adf5c80&tr=31&tt=17324434434497982&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          11192.168.2.114993413.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:33 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=6c5142d1-8eb7-4c24-9754-9b429320ed0d&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:34 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:33 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Content-Length: 19
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:34 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 35 33 37 38 35 39 35 37 32 5d
                                                                                                                                                                                                                                                                          Data Ascii: [17324434537859572]


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          12192.168.2.114993313.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:34 UTC354OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d2f98d58-ae77-41cb-bf75-a12c39413b70&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:34 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:34 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 74
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                          Age: 0
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:34 UTC74INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 61 63 74 69 6f 6e 22 3a 20 22 6c 65 61 76 65 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"status": 200, "message": "OK", "action": "leave", "service": "Presence"}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          13192.168.2.114994513.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:37 UTC340OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=307e4b22-ae8f-4dc7-a619-34b637c0b56b&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:37 UTC277INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:37 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 45
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:37 UTC45INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 34 33 34 34 39 37 39 38 32 22 2c 22 72 22 3a 33 31 7d 2c 22 6d 22 3a 5b 5d 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"t":{"t":"17324434434497982","r":31},"m":[]}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          14192.168.2.114995413.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:40 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cead9e07-0918-4110-bf73-0cde7886e764&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:40 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:40 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Content-Length: 19
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:40 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 36 30 34 38 36 35 30 38 31 5d
                                                                                                                                                                                                                                                                          Data Ascii: [17324434604865081]


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          15192.168.2.114995513.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:40 UTC362OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0f2fcab0-36f7-497d-80c2-ed154ce143d7&tr=31&tt=17324434434497982&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:40 UTC279INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:40 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 1869
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:40 UTC1869INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 35 39 36 37 33 39 31 34 36 22 2c 22 72 22 3a 33 31 7d 2c 22 6d 22 3a 5b 7b 22 61 22 3a 22 32 22 2c 22 66 22 3a 30 2c 22 69 22 3a 22 34 34 39 39 61 66 64 34 2d 32 63 37 63 2d 34 37 61 61 2d 39 32 63 37 2d 61 38 37 62 37 39 65 66 38 65 36 34 22 2c 22 70 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 35 39 36 37 33 39 31 34 36 22 2c 22 72 22 3a 32 33 7d 2c 22 6b 22 3a 22 73 75 62 2d 63 2d 61 30 32 63 65 63 61 38 2d 61 39 35 38 2d 31 31 65 35 2d 62 64 38 63 2d 30 36 31 39 66 38 39 34 35 61 34 66 22 2c 22 63 22 3a 22 31 64 62 34 30 66 39 31 2d 39 34 31 63 2d 34 62 63 62 2d 39 36 31 64 2d 31 66 65 32 39 38 32 65 38 32 62 36 22 2c 22 64 22 3a 7b 22 43 6f 6d 6d 61 6e 64 49 64 22 3a 22 62 62 61 36 32 39 36
                                                                                                                                                                                                                                                                          Data Ascii: {"t":{"t":"17324434596739146","r":31},"m":[{"a":"2","f":0,"i":"4499afd4-2c7c-47aa-92c7-a87b79ef8e64","p":{"t":"17324434596739146","r":23},"k":"sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f","c":"1db40f91-941c-4bcb-961d-1fe2982e82b6","d":{"CommandId":"bba6296


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          16192.168.2.114996413.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:43 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9912033a-6573-4ca2-b350-37c2bc6e22e9&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:43 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:43 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Content-Length: 19
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:43 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 36 33 33 33 36 32 36 38 32 5d
                                                                                                                                                                                                                                                                          Data Ascii: [17324434633362682]


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          17192.168.2.114996513.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:43 UTC362OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2834bcd7-fd55-4889-8913-f76d7ffbc034&tr=31&tt=17324434596739146&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          18192.168.2.114997713.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:47 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=86b5c6de-7733-4db5-b81f-7d902ad87fa7&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:47 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:47 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Content-Length: 19
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:47 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 36 37 33 36 37 34 37 34 33 5d
                                                                                                                                                                                                                                                                          Data Ascii: [17324434673674743]


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          19192.168.2.114998813.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:49 UTC354OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2c6e45e8-47f3-4b11-b828-5f7d85987293&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:50 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:50 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 74
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                          Age: 0
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:50 UTC74INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 61 63 74 69 6f 6e 22 3a 20 22 6c 65 61 76 65 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"status": 200, "message": "OK", "action": "leave", "service": "Presence"}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          20192.168.2.114998913.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:49 UTC354OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=2f5b9f56-7551-421b-9316-301f6079e99e&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:50 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:50 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 74
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                          Age: 0
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:50 UTC74INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 61 63 74 69 6f 6e 22 3a 20 22 6c 65 61 76 65 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"status": 200, "message": "OK", "action": "leave", "service": "Presence"}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          21192.168.2.115000013.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:52 UTC354OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c2b41531-6511-4485-b86e-174f0caf9d55&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:53 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:53 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 74
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                          Age: 0
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:53 UTC74INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 61 63 74 69 6f 6e 22 3a 20 22 6c 65 61 76 65 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"status": 200, "message": "OK", "action": "leave", "service": "Presence"}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          22192.168.2.115000113.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:52 UTC340OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0b567b7d-02ab-4d8f-b457-87226ecdada3&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:53 UTC277INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:53 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 45
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:53 UTC45INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 35 39 36 37 33 39 31 34 36 22 2c 22 72 22 3a 33 31 7d 2c 22 6d 22 3a 5b 5d 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"t":{"t":"17324434596739146","r":31},"m":[]}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          23192.168.2.115001713.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:55 UTC354OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c29a5fd2-a31e-449c-a116-6640bd437f2a&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:56 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:56 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 74
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                          Age: 0
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:56 UTC74INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 61 63 74 69 6f 6e 22 3a 20 22 6c 65 61 76 65 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"status": 200, "message": "OK", "action": "leave", "service": "Presence"}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          24192.168.2.115001513.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:55 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=1549cfbe-4797-4e9b-87ba-b39ddfdb0c6e&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:56 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:56 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Content-Length: 19
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:56 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 37 36 32 35 36 39 38 39 31 5d
                                                                                                                                                                                                                                                                          Data Ascii: [17324434762569891]


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          25192.168.2.115002713.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:58 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=504e0050-fb3e-4785-b22a-13fb6da05322&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:59 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:59 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 55
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                          Age: 0
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:59 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          26192.168.2.115002813.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:17:59 UTC354OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=f7ffddb2-9b76-4bfa-9cc3-f625de546771&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:17:59 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:17:59 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 74
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                          Age: 0
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:17:59 UTC74INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 61 63 74 69 6f 6e 22 3a 20 22 6c 65 61 76 65 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"status": 200, "message": "OK", "action": "leave", "service": "Presence"}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          27192.168.2.115003813.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:18:02 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=262560da-847d-4155-9198-8e4ffcd1509c&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:18:02 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:18:02 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 55
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                          Age: 3
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:18:02 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          28192.168.2.115004113.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:18:02 UTC354OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a9364c7f-76bc-44d5-9e4a-9e20b519e5f6&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:18:02 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:18:02 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 74
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                          Age: 0
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:18:02 UTC74INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 61 63 74 69 6f 6e 22 3a 20 22 6c 65 61 76 65 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"status": 200, "message": "OK", "action": "leave", "service": "Presence"}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          29192.168.2.115005213.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:18:05 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=04073794-9b1a-456b-85fe-6eca65797754&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:18:05 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:18:05 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Content-Length: 19
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:18:05 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 38 35 34 37 35 36 37 37 38 5d
                                                                                                                                                                                                                                                                          Data Ascii: [17324434854756778]


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          30192.168.2.115005313.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:18:05 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c1164d1e-bc30-4eb8-888a-782a294ae896&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:18:05 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:18:05 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 55
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                          Age: 0
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:18:05 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          31192.168.2.115006413.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:18:08 UTC340OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=de127575-77e7-4719-a128-017012d14d11&tt=0&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:18:08 UTC277INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:18:08 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 45
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: GET
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:18:08 UTC45INData Raw: 7b 22 74 22 3a 7b 22 74 22 3a 22 31 37 33 32 34 34 33 34 38 37 30 31 37 34 39 39 32 22 2c 22 72 22 3a 33 31 7d 2c 22 6d 22 3a 5b 5d 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"t":{"t":"17324434870174992","r":31},"m":[]}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                                                                                                                                                          32192.168.2.115006613.232.67.1984438040C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:18:08 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=95a8cc07-d7ac-4863-aa59-e133b0947fc6&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:18:09 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:18:08 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 55
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                          Age: 0
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:18:09 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                          33192.168.2.115007313.232.67.198443
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:18:11 UTC159OUTGET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9debe3d6-bd60-48d8-8f32-cac259735cf3&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:18:11 UTC242INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:18:11 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Content-Length: 19
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:18:11 UTC19INData Raw: 5b 31 37 33 32 34 34 33 34 39 31 34 38 30 38 34 34 39 5d
                                                                                                                                                                                                                                                                          Data Ascii: [17324434914808449]


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                          34192.168.2.115007613.232.67.198443
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:18:11 UTC358OUTGET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/1db40f91-941c-4bcb-961d-1fe2982e82b6/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=248769b3-5b56-419a-86a3-53e6abc6f7ea&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com
                                                                                                                                                                                                                                                                          2024-11-24 10:18:11 UTC322INHTTP/1.1 200 OK
                                                                                                                                                                                                                                                                          Date: Sun, 24 Nov 2024 10:18:11 GMT
                                                                                                                                                                                                                                                                          Content-Type: text/javascript; charset="UTF-8"
                                                                                                                                                                                                                                                                          Content-Length: 55
                                                                                                                                                                                                                                                                          Connection: close
                                                                                                                                                                                                                                                                          Access-Control-Allow-Methods: OPTIONS, GET, POST
                                                                                                                                                                                                                                                                          Age: 0
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Accept-Ranges: bytes
                                                                                                                                                                                                                                                                          Access-Control-Allow-Credentials: true
                                                                                                                                                                                                                                                                          Access-Control-Expose-Headers: *
                                                                                                                                                                                                                                                                          2024-11-24 10:18:11 UTC55INData Raw: 7b 22 73 74 61 74 75 73 22 3a 20 32 30 30 2c 20 22 6d 65 73 73 61 67 65 22 3a 20 22 4f 4b 22 2c 20 22 73 65 72 76 69 63 65 22 3a 20 22 50 72 65 73 65 6e 63 65 22 7d
                                                                                                                                                                                                                                                                          Data Ascii: {"status": 200, "message": "OK", "service": "Presence"}


                                                                                                                                                                                                                                                                          Session IDSource IPSource PortDestination IPDestination Port
                                                                                                                                                                                                                                                                          35192.168.2.115008313.232.67.198443
                                                                                                                                                                                                                                                                          TimestampBytes transferredDirectionData
                                                                                                                                                                                                                                                                          2024-11-24 10:18:14 UTC362OUTGET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/1db40f91-941c-4bcb-961d-1fe2982e82b6/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8bd2666e-deba-4537-9847-826117c775e9&tr=31&tt=17324434870174992&uuid=1db40f91-941c-4bcb-961d-1fe2982e82b6 HTTP/1.1
                                                                                                                                                                                                                                                                          Cache-Control: no-cache
                                                                                                                                                                                                                                                                          Pragma: no-cache
                                                                                                                                                                                                                                                                          Content-Type: application/json
                                                                                                                                                                                                                                                                          Host: ps.pndsn.com


                                                                                                                                                                                                                                                                          Statistics

                                                                                                                                                                                                                                                                          CPU Usage

                                                                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                                                                          Memory Usage

                                                                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                                                                          High Level Behavior Distribution

                                                                                                                                                                                                                                                                          Click to dive into process behavior distribution

                                                                                                                                                                                                                                                                          Behavior

                                                                                                                                                                                                                                                                          Click to jump to process

                                                                                                                                                                                                                                                                          System Behavior

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:0
                                                                                                                                                                                                                                                                          Start time:05:16:00
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:C:\Windows\System32\svchost.exe -k NetworkService -p
                                                                                                                                                                                                                                                                          Imagebase:0x7ff68dea0000
                                                                                                                                                                                                                                                                          File size:55'320 bytes
                                                                                                                                                                                                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:1
                                                                                                                                                                                                                                                                          Start time:05:16:00
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\System32\SgrmBroker.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\SgrmBroker.exe
                                                                                                                                                                                                                                                                          Imagebase:0x7ff6b0400000
                                                                                                                                                                                                                                                                          File size:329'504 bytes
                                                                                                                                                                                                                                                                          MD5 hash:3BA1A18A0DC30A0545E7765CB97D8E63
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:2
                                                                                                                                                                                                                                                                          Start time:05:16:00
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\svchost.exe -k UnistackSvcGroup
                                                                                                                                                                                                                                                                          Imagebase:0x7ff68dea0000
                                                                                                                                                                                                                                                                          File size:55'320 bytes
                                                                                                                                                                                                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                                          Has elevated privileges:false
                                                                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:3
                                                                                                                                                                                                                                                                          Start time:05:16:00
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\System32\sppsvc.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\sppsvc.exe
                                                                                                                                                                                                                                                                          Imagebase:0x7ff6fe800000
                                                                                                                                                                                                                                                                          File size:4'630'384 bytes
                                                                                                                                                                                                                                                                          MD5 hash:320823F03672CEB82CC3A169989ABD12
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Reputation:moderate
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:4
                                                                                                                                                                                                                                                                          Start time:05:16:00
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\Digital.msi"
                                                                                                                                                                                                                                                                          Imagebase:0x7ff6072d0000
                                                                                                                                                                                                                                                                          File size:69'632 bytes
                                                                                                                                                                                                                                                                          MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:5
                                                                                                                                                                                                                                                                          Start time:05:16:01
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
                                                                                                                                                                                                                                                                          Imagebase:0x7ff68dea0000
                                                                                                                                                                                                                                                                          File size:55'320 bytes
                                                                                                                                                                                                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:7
                                                                                                                                                                                                                                                                          Start time:05:16:01
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\System32\msiexec.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                                                                                                                                                                                                          Imagebase:0x7ff6072d0000
                                                                                                                                                                                                                                                                          File size:69'632 bytes
                                                                                                                                                                                                                                                                          MD5 hash:E5DA170027542E25EDE42FC54C929077
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:8
                                                                                                                                                                                                                                                                          Start time:05:16:01
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\System32\svchost.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
                                                                                                                                                                                                                                                                          Imagebase:0x7ff68dea0000
                                                                                                                                                                                                                                                                          File size:55'320 bytes
                                                                                                                                                                                                                                                                          MD5 hash:B7F884C1B74A263F746EE12A5F7C9F6A
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:9
                                                                                                                                                                                                                                                                          Start time:05:16:02
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                                                          Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding BDCEB15B695F7B18E5D384CA0657056F
                                                                                                                                                                                                                                                                          Imagebase:0x8f0000
                                                                                                                                                                                                                                                                          File size:59'904 bytes
                                                                                                                                                                                                                                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:10
                                                                                                                                                                                                                                                                          Start time:05:16:02
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                                                          Commandline:rundll32.exe "C:\Windows\Installer\MSIC52A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3851687 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                                                                                                                                                                                                                                                                          Imagebase:0xe50000
                                                                                                                                                                                                                                                                          File size:61'440 bytes
                                                                                                                                                                                                                                                                          MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000A.00000003.1297790604.0000000004814000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          Reputation:high
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:11
                                                                                                                                                                                                                                                                          Start time:05:16:03
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                                                          Commandline:rundll32.exe "C:\Windows\Installer\MSIC932.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3852625 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                                                                                                                                                                                                                                                                          Imagebase:0xe50000
                                                                                                                                                                                                                                                                          File size:61'440 bytes
                                                                                                                                                                                                                                                                          MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000B.00000002.1361716036.0000000005031000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000B.00000002.1361716036.00000000050D4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000B.00000003.1301889359.0000000004E3E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:12
                                                                                                                                                                                                                                                                          Start time:05:16:09
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                                                          Commandline:rundll32.exe "C:\Windows\Installer\MSIE1CC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3858921 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                                                                                                                                                                                                                                                                          Imagebase:0xe50000
                                                                                                                                                                                                                                                                          File size:61'440 bytes
                                                                                                                                                                                                                                                                          MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000C.00000003.1365900976.00000000048B4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:13
                                                                                                                                                                                                                                                                          Start time:05:16:11
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\msiexec.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                                                          Commandline:C:\Windows\syswow64\MsiExec.exe -Embedding 698B2CE5FB46AC99A05489DBEDC6273F E Global\MSI0000
                                                                                                                                                                                                                                                                          Imagebase:0x8f0000
                                                                                                                                                                                                                                                                          File size:59'904 bytes
                                                                                                                                                                                                                                                                          MD5 hash:9D09DC1EDA745A5F87553048E57620CF
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:14
                                                                                                                                                                                                                                                                          Start time:05:16:11
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\net.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                                                          Commandline:"NET" STOP AteraAgent
                                                                                                                                                                                                                                                                          Imagebase:0x830000
                                                                                                                                                                                                                                                                          File size:47'104 bytes
                                                                                                                                                                                                                                                                          MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:15
                                                                                                                                                                                                                                                                          Start time:05:16:11
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                          Imagebase:0x7ff68cce0000
                                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:16
                                                                                                                                                                                                                                                                          Start time:05:16:11
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\net1.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\net1 STOP AteraAgent
                                                                                                                                                                                                                                                                          Imagebase:0x1000000
                                                                                                                                                                                                                                                                          File size:139'776 bytes
                                                                                                                                                                                                                                                                          MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:17
                                                                                                                                                                                                                                                                          Start time:05:16:11
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                                                          Commandline:"TaskKill.exe" /f /im AteraAgent.exe
                                                                                                                                                                                                                                                                          Imagebase:0x830000
                                                                                                                                                                                                                                                                          File size:74'240 bytes
                                                                                                                                                                                                                                                                          MD5 hash:CA313FD7E6C2A778FFD21CFB5C1C56CD
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:18
                                                                                                                                                                                                                                                                          Start time:05:16:11
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                          Imagebase:0x7ff68cce0000
                                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:19
                                                                                                                                                                                                                                                                          Start time:05:16:12
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="Salim.Jami@korektel.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000KANvwIAH" /AgentId="1db40f91-941c-4bcb-961d-1fe2982e82b6"
                                                                                                                                                                                                                                                                          Imagebase:0x207e7090000
                                                                                                                                                                                                                                                                          File size:145'968 bytes
                                                                                                                                                                                                                                                                          MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1437456452.000002078017C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1439484735.00000207E71B2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1439443971.00000207E7170000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000000.1387858238.00000207E7092000.00000002.00000001.01000000.0000000F.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1444334678.00007FFE7D194000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1440389283.00000207E74D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1437456452.00000207800B4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1439484735.00000207E7192000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1437456452.0000020780089000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1437456452.0000020780132000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1441885494.00000207E98D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1437456452.00000207800B2000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1440692718.00000207E9560000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1439241847.00000207E715C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1442456404.00000207E992C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1439241847.00000207E7150000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1437456452.000002078008C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1439484735.00000207E71E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1437456452.00000207800BA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.1437456452.0000020780001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, Author: Joe Security
                                                                                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                                                                                          • Detection: 26%, ReversingLabs
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:20
                                                                                                                                                                                                                                                                          Start time:05:16:16
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
                                                                                                                                                                                                                                                                          Imagebase:0x1e818e20000
                                                                                                                                                                                                                                                                          File size:145'968 bytes
                                                                                                                                                                                                                                                                          MD5 hash:477293F80461713D51A98A24023D45E8
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2527764895.000001E819F5E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2527764895.000001E81976F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2527764895.000001E819F76000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2527764895.000001E819804000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2526996281.000001E819027000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2537602873.000001E831ED0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2527764895.000001E819FBB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2538937765.000001E832370000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2523269176.0000001AB33B5000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2526833344.000001E818F20000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2526714387.000001E818ED0000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2527764895.000001E819F7C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2527764895.000001E8198DA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2538937765.000001E8323A9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2526996281.000001E818FA0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2527764895.000001E8199BE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2527764895.000001E819DFC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2526996281.000001E818FDC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2540922375.000001E832810000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2527764895.000001E819F53000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2538937765.000001E8323E3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2527764895.000001E819962000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2527764895.000001E819FB3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2527764895.000001E819E39000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2527764895.000001E819701000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2537602873.000001E831FC2000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2526996281.000001E81905D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2527764895.000001E819F3A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2526996281.000001E818FFC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000014.00000002.2527764895.000001E819F50000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          Has exited:false

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:22
                                                                                                                                                                                                                                                                          Start time:05:16:17
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\System32\sc.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                                                                                                                                                                                                                                                          Imagebase:0x7ff691bd0000
                                                                                                                                                                                                                                                                          File size:72'192 bytes
                                                                                                                                                                                                                                                                          MD5 hash:3FB5CF71F7E7EB49790CB0E663434D80
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:23
                                                                                                                                                                                                                                                                          Start time:05:16:17
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                          Imagebase:0x7ff68cce0000
                                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:24
                                                                                                                                                                                                                                                                          Start time:05:16:17
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\SysWOW64\rundll32.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                                                                                                                                                          Commandline:rundll32.exe "C:\Windows\Installer\MSI1EC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_3867125 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                                                                                                                                                                                                                                                                          Imagebase:0xe50000
                                                                                                                                                                                                                                                                          File size:61'440 bytes
                                                                                                                                                                                                                                                                          MD5 hash:889B99C52A60DD49227C5E485A016679
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1506275968.0000000004B07000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000003.1446901371.0000000004895000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000018.00000002.1506275968.0000000004A61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:25
                                                                                                                                                                                                                                                                          Start time:05:16:37
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "ef2508c1-c717-4567-98db-ad739433a027" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH
                                                                                                                                                                                                                                                                          Imagebase:0x206ff100000
                                                                                                                                                                                                                                                                          File size:177'704 bytes
                                                                                                                                                                                                                                                                          MD5 hash:FD9DF72620BCA7C4D48BC105C89DFFD2
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.1685011781.00000206FF2D0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.1685011781.00000206FF290000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.1685011781.00000206FF2E1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.1685011781.00000206FF31C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.1685815626.00000206FF510000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.1684646622.0000020698E50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.1685670421.00000206FF412000.00000002.00000001.01000000.00000018.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.1683949683.0000020680681000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.1683949683.00000206806F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000002.1683949683.0000020680703000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000019.00000000.1642250402.00000206FF102000.00000002.00000001.01000000.00000016.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
                                                                                                                                                                                                                                                                          Antivirus matches:
                                                                                                                                                                                                                                                                          • Detection: 0%, ReversingLabs
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:26
                                                                                                                                                                                                                                                                          Start time:05:16:37
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                          Imagebase:0x7ff68cce0000
                                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:27
                                                                                                                                                                                                                                                                          Start time:05:17:02
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Program Files\Windows Defender\MpCmdRun.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:"C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
                                                                                                                                                                                                                                                                          Imagebase:0x7ff657ab0000
                                                                                                                                                                                                                                                                          File size:468'120 bytes
                                                                                                                                                                                                                                                                          MD5 hash:B3676839B2EE96983F9ED735CD044159
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:28
                                                                                                                                                                                                                                                                          Start time:05:17:02
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                          Imagebase:0x7ff68cce0000
                                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:false
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:29
                                                                                                                                                                                                                                                                          Start time:05:17:23
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "4b724461-d5de-45b3-918d-01f1dd7fb803" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH
                                                                                                                                                                                                                                                                          Imagebase:0x29fbe420000
                                                                                                                                                                                                                                                                          File size:177'704 bytes
                                                                                                                                                                                                                                                                          MD5 hash:FD9DF72620BCA7C4D48BC105C89DFFD2
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2137431429.0000029FBE59D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2137431429.0000029FBE63B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2137431429.0000029FBE5A7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2137431429.0000029FBE5E4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2138610160.0000029FBEEAF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2138281864.0000029FBE7B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2138610160.0000029FBEE73000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2137431429.0000029FBE569000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2137431429.0000029FBE560000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2138610160.0000029FBEE63000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2138610160.0000029FBEE37000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001D.00000002.2138610160.0000029FBEDF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:30
                                                                                                                                                                                                                                                                          Start time:05:17:23
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                          Imagebase:0x7ff68cce0000
                                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:31
                                                                                                                                                                                                                                                                          Start time:05:17:40
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 1db40f91-941c-4bcb-961d-1fe2982e82b6 "bba6296f-630c-4728-badb-dcac66c37446" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KANvwIAH
                                                                                                                                                                                                                                                                          Imagebase:0x217efbf0000
                                                                                                                                                                                                                                                                          File size:177'704 bytes
                                                                                                                                                                                                                                                                          MD5 hash:FD9DF72620BCA7C4D48BC105C89DFFD2
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Yara matches:
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2310806719.0000021780073000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2312101938.00000217EFE95000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2312101938.00000217EFE18000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2312101938.00000217EFE59000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2312948661.00000217F0000000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2310806719.00000217800BF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2312101938.00000217EFE10000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2312101938.00000217EFE2B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2312101938.00000217EFE4D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2310806719.0000021780001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2310806719.0000021780047000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          • Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001F.00000002.2310806719.0000021780083000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          General

                                                                                                                                                                                                                                                                          Target ID:32
                                                                                                                                                                                                                                                                          Start time:05:17:40
                                                                                                                                                                                                                                                                          Start date:24/11/2024
                                                                                                                                                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                                                                                                          Imagebase:0x7ff68cce0000
                                                                                                                                                                                                                                                                          File size:862'208 bytes
                                                                                                                                                                                                                                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                                                                                                                                                                                          Has elevated privileges:true
                                                                                                                                                                                                                                                                          Has administrator privileges:true
                                                                                                                                                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                                                                                                                                                          Has exited:true

                                                                                                                                                                                                                                                                          Disassembly

                                                                                                                                                                                                                                                                          Reset < >

                                                                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                                                                            Function 06DC1630 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000A.00000003.1298633148.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_3_6dc0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: $_q$$_q
                                                                                                                                                                                                                                                                            • API String ID: 0-458585787
                                                                                                                                                                                                                                                                            • Opcode ID: d1afdc25f1db25fbb8f7a7ea836897370cfff1036b639eb5fe6123e1f7ab94e5
                                                                                                                                                                                                                                                                            • Instruction ID: 918f92dfd40e6d81975f2bc511858b0d00b28344896e2d5463e9efdd6b2254f0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d1afdc25f1db25fbb8f7a7ea836897370cfff1036b639eb5fe6123e1f7ab94e5
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3151BE31B0021ADFCB55DF78DC506AEBBF6FF89260B14812AE414D7365DA308D42C7A1
                                                                                                                                                                                                                                                                            Function 06DC1080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000A.00000003.1298633148.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_3_6dc0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq
                                                                                                                                                                                                                                                                            • API String ID: 0-301743287
                                                                                                                                                                                                                                                                            • Opcode ID: 33faecb182a659dc94ce405203dac5f5201b3bf9819191f998f807a9c5ae9962
                                                                                                                                                                                                                                                                            • Instruction ID: a4a23ab55b143f2727c36bf0770631a58583e929cf8c271d1e08a5f3d2d2cdda
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 33faecb182a659dc94ce405203dac5f5201b3bf9819191f998f807a9c5ae9962
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7D71C235B00219DFDB449BB5CD54AAEBAE7EFC8324F15802DE506AB3A4DE35DC028790
                                                                                                                                                                                                                                                                            Function 06DC0C1C Relevance: 1.4, Strings: 1, Instructions: 157COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000A.00000003.1298633148.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_3_6dc0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq
                                                                                                                                                                                                                                                                            • API String ID: 0-301743287
                                                                                                                                                                                                                                                                            • Opcode ID: 66dfa434df612637d2181c2e99bd1feabb26b3ef3b3c07f02a2c67fb599458b3
                                                                                                                                                                                                                                                                            • Instruction ID: a33fb7afdca080fcd7b3f8a8b1a4565b44a170aec874184c72a651580c3724ea
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 66dfa434df612637d2181c2e99bd1feabb26b3ef3b3c07f02a2c67fb599458b3
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B6511530A08219AFD7459B68D8647AE7FB2EFC9324F15806ED446E7382CE399C05C7E1
                                                                                                                                                                                                                                                                            Function 06DC2644 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000A.00000003.1298633148.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_3_6dc0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq
                                                                                                                                                                                                                                                                            • API String ID: 0-301743287
                                                                                                                                                                                                                                                                            • Opcode ID: 047bf497dbc53d87b9c43710aa957c8e8fdf99dc72cc1f773379663716036de2
                                                                                                                                                                                                                                                                            • Instruction ID: de078bae3e8655e1d05951d34111ecdbce380efe1964d024a8e970e198703b72
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 047bf497dbc53d87b9c43710aa957c8e8fdf99dc72cc1f773379663716036de2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A5312420B093591BEBAA2775985476E3FABCFC5724F0584BED841C7386DD689D0243E1
                                                                                                                                                                                                                                                                            Function 06DC2764 Relevance: .4, Instructions: 394COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000A.00000003.1298633148.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_3_6dc0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 4119ba403b1f8d972a0736b9ebb2d9bb4cda077443cab93ae3e4397f7a1a511a
                                                                                                                                                                                                                                                                            • Instruction ID: dbb73fd08eb38af925e304f6262c2746f3c31d11c748655653126e54b201726a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4119ba403b1f8d972a0736b9ebb2d9bb4cda077443cab93ae3e4397f7a1a511a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DEE092B0C09209DFCBA4EFA9990169ABFF1FF5531072186AEC488D7210E7328603CF91
                                                                                                                                                                                                                                                                            Function 06DC23B8 Relevance: .2, Instructions: 183COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000A.00000003.1298633148.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_3_6dc0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 1934bd5287bd66f5b1f3fb54ec533d970d68cb573ba2bf36e635e042c6e521d4
                                                                                                                                                                                                                                                                            • Instruction ID: 5c13f8c15b4d57a319883e058dcc34f4f8132afd6afcb95ea6399c11b89fe91d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1934bd5287bd66f5b1f3fb54ec533d970d68cb573ba2bf36e635e042c6e521d4
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BD513934B1921A8FC710CF68D894A6ABBF4FF49324B1581EAE454DB262DB31DD42C791
                                                                                                                                                                                                                                                                            Function 06DC2268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000A.00000003.1298633148.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_3_6dc0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: b84ad8d18b900b9ae281458c501b498392f02211ce713bff40521127fd0ede37
                                                                                                                                                                                                                                                                            • Instruction ID: 1cc0b3611b6fc674c01251a3f6e730ff40781af1cf6d27c5d1a059d0d0815650
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b84ad8d18b900b9ae281458c501b498392f02211ce713bff40521127fd0ede37
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 32411A75B102199FCB54DF68D98099EBBB2FF88724B108169E915EB360DB31DD42CBA0
                                                                                                                                                                                                                                                                            Function 06DC2664 Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000A.00000003.1298633148.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_3_6dc0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 8b962937446907a7b4eafb8453fa5ed6501ec9a68c4864912c6cde4252282fe9
                                                                                                                                                                                                                                                                            • Instruction ID: 8aafb35382449dca8bb71dfb305abb3da9ded09c6f7b6f323cb83073db3efbd7
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8b962937446907a7b4eafb8453fa5ed6501ec9a68c4864912c6cde4252282fe9
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3F215B31A5A32E6FC391277569683EA7F64CF42331F11847FE99887151C924C996C3F0
                                                                                                                                                                                                                                                                            Function 06DC1050 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000A.00000003.1298633148.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_3_6dc0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: fde5d33d3076bfddd448eb560e580e45d2290d710ad104a643e5a6e1d6fa132b
                                                                                                                                                                                                                                                                            • Instruction ID: 612f3b269130d61a8864a432af4f6959bd55371b7bdadcbc8868aa20fe6367f1
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fde5d33d3076bfddd448eb560e580e45d2290d710ad104a643e5a6e1d6fa132b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D6212436A043689BEB509B6989646EEBFE6DF88224F05407ED541D724ADA34C906C7D0
                                                                                                                                                                                                                                                                            Function 06DC2258 Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000A.00000003.1298633148.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_3_6dc0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: e2efa79bc0378262928fd662e25a84635d71693b96d1fcf0960b2fd2d01aaf87
                                                                                                                                                                                                                                                                            • Instruction ID: a7269547809c08a07b46c1bb15e81c7ef408f4a46d480284077d2fcac24a457d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e2efa79bc0378262928fd662e25a84635d71693b96d1fcf0960b2fd2d01aaf87
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6D211A75E111189FCB54DF69D88499EBBB1FF4C720F10812AE815EB320DB319942CBA0
                                                                                                                                                                                                                                                                            Function 06DC1958 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000A.00000003.1298633148.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_3_6dc0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: c4cab3f63b1eaaebcb206cdb1b1967bcdcb6aed69f0c92cb36a0f597e6bd50a2
                                                                                                                                                                                                                                                                            • Instruction ID: 9dde21d1d41231b1afaa595abc6f59c8c939ae655f705a05bc723a0babb7ff09
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c4cab3f63b1eaaebcb206cdb1b1967bcdcb6aed69f0c92cb36a0f597e6bd50a2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B7217235608259AFCB44DFA4D554AA97FB2EF8C324F16402DE44997380CB789C45CBD0
                                                                                                                                                                                                                                                                            Function 06DC1378 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000A.00000003.1298633148.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_3_6dc0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 1712566d43ac4fd15a6fa8ce9aaf2f1a944db6a39e2873ad3680735072e3167d
                                                                                                                                                                                                                                                                            • Instruction ID: 48abf2dbaebff50c5d78fae5d21a6e025942e6695435310ce333f76562e096a7
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1712566d43ac4fd15a6fa8ce9aaf2f1a944db6a39e2873ad3680735072e3167d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A321E3B0D042498EDB64DFAAC984AEEFBF4FF48324F10852ED419A7240C7756949CFA1
                                                                                                                                                                                                                                                                            Function 06DC1380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000A.00000003.1298633148.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_3_6dc0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 1dddf06a6c119bfcdb6884e547cd8f16721316a1ae7f279fd7539b763e1fe7b6
                                                                                                                                                                                                                                                                            • Instruction ID: 826e730f4a7c9c47846e59e33c3700803a00e4ec52f006716ac034de174d723e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1dddf06a6c119bfcdb6884e547cd8f16721316a1ae7f279fd7539b763e1fe7b6
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A811F2B0D042098EDB24DFAAC881AEEFBF4FF48324F10842AD41967240C7756945CFA1
                                                                                                                                                                                                                                                                            Function 06DC1440 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000A.00000003.1298633148.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_3_6dc0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 091a23e4d23d9b2150da126e0dcac8d6bf2b9fca39582b2e96a82ef25b81d6de
                                                                                                                                                                                                                                                                            • Instruction ID: ceb64fb970f19833778fc6826508e75ca5678d2ccbe6b696cabe4bd4b1206983
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 091a23e4d23d9b2150da126e0dcac8d6bf2b9fca39582b2e96a82ef25b81d6de
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9F01B530A5E34E2FC7496F746D311263FA9DE8612871648BED54DCB192E9148809C3D1
                                                                                                                                                                                                                                                                            Function 06DC1829 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000A.00000003.1298633148.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_3_6dc0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 47ee9233f2b694a9e10a2e9c2a62e87142072e60d35fdfbe927faf1ecf96bfdf
                                                                                                                                                                                                                                                                            • Instruction ID: 2f70b2238329f3b59c6dd5f0ab7aea112b6801b046c99c03144184e8697e3ab0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 47ee9233f2b694a9e10a2e9c2a62e87142072e60d35fdfbe927faf1ecf96bfdf
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4101A271B0521EABE754AAA88C94BEF7AAADB88624F10413DD111F7381CEB64D0587F1
                                                                                                                                                                                                                                                                            Function 06DC1968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000A.00000003.1298633148.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_3_6dc0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 62497e662aad5a531bc8079d6e5f31ba197de901374dc37583aae1a5af101cb6
                                                                                                                                                                                                                                                                            • Instruction ID: ff973806e689dc64dec4090ca1241c6e532dad252a4bbc6c34a75f6e2e03e837
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 62497e662aad5a531bc8079d6e5f31ba197de901374dc37583aae1a5af101cb6
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 68113D35608219AFCB44DF68D954AA97FB6EF8C324F154029E40AE7390CF799C85CBD0
                                                                                                                                                                                                                                                                            Function 046FD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000A.00000002.1299330288.00000000046FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 046FD000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_46fd000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 1c43511e2718d1e943aeaa8eac03fb893124f08fcc880559b08feef1f47ebed3
                                                                                                                                                                                                                                                                            • Instruction ID: dca79f6b66bdb2496bbbefa3e3cb18de192b29280abb58944ab778ac3e12ec8c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1c43511e2718d1e943aeaa8eac03fb893124f08fcc880559b08feef1f47ebed3
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CB012071104300A9D7104F15ED84B67BF98DF51320F08C51ADE8A0B245E378B845C6B1
                                                                                                                                                                                                                                                                            Function 046FD006 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000A.00000002.1299330288.00000000046FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 046FD000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_2_46fd000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f0d776405ffc30d54629c12939404eebbc6e0c07e14b6dac9c68973ba0721aa9
                                                                                                                                                                                                                                                                            • Instruction ID: c11d6a0f0e49e9317c012b71cc0be68289ce273233a4236b940a198f9259a8f3
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f0d776405ffc30d54629c12939404eebbc6e0c07e14b6dac9c68973ba0721aa9
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6B01406100E3C05ED7124B259D94A52BFB4EF53224F1D85CBDD888F297D2695849C772
                                                                                                                                                                                                                                                                            Function 06DC1431 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000A.00000003.1298633148.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_3_6dc0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 7d9bbb12913362774a7aebdf6b4dd60ede72877f7dd47c86595a7b3f02166075
                                                                                                                                                                                                                                                                            • Instruction ID: f2146afaea0f9eab14bdfb0fd0e7703e1f502038c29663ce7e240708683c8e79
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7d9bbb12913362774a7aebdf6b4dd60ede72877f7dd47c86595a7b3f02166075
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5AF0C234A4D20E6FC7496F75AA2111A7FAAEEC622C316487ED14DCF191FD248905C7C1
                                                                                                                                                                                                                                                                            Function 06DC2AA5 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000A.00000003.1298633148.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_3_6dc0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 08e1cf6d001c3db4facd46e8bcf60377f9f9e10290f3d3475b369955e64c4fe1
                                                                                                                                                                                                                                                                            • Instruction ID: b473986033e6be0d324fb764a78826ccdd9fd12d15b79378938338d8db53164c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 08e1cf6d001c3db4facd46e8bcf60377f9f9e10290f3d3475b369955e64c4fe1
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 96F0A73570571A578B745A1794C0B7A6B9ADFC8775B04803DE918C3344DE758E4252B4
                                                                                                                                                                                                                                                                            Function 06DC25D1 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000A.00000003.1298633148.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_3_6dc0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: eabcc8828e884638b07117226b4ef524a04a68c30d0fc5f6c5d229e4e3dcd0f8
                                                                                                                                                                                                                                                                            • Instruction ID: 42fb8ae9888814af72afee27536e6527db0090d5ddd03c20a0fcb9d0a5a19476
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: eabcc8828e884638b07117226b4ef524a04a68c30d0fc5f6c5d229e4e3dcd0f8
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1AF0BB36B141855BCB0D9B64D4186EDBBB2DBC9310F21816ED48267280DF75091DC790
                                                                                                                                                                                                                                                                            Function 06DC2654 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000A.00000003.1298633148.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_3_6dc0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: bafa107ef26690c145b828764d15b51c136c00029217e1d3b0de99432ccb8493
                                                                                                                                                                                                                                                                            • Instruction ID: d7c6502870f92d99b0c053f9ece6613efc5481709753709ec951f817e858ce8f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bafa107ef26690c145b828764d15b51c136c00029217e1d3b0de99432ccb8493
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 46E09220B6571F16EBF836A899107A766DF8F40734F04083DC441C7649D8D0EA4203F1
                                                                                                                                                                                                                                                                            Function 06DC25E0 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000A.00000003.1298633148.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_3_6dc0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: e628e2811a27ca94118fd08094439651a98128a7bf5393e554db7e83db93eaa5
                                                                                                                                                                                                                                                                            • Instruction ID: a1b4602f93130dfc269f6a1d55fe957da857e1bb695924e0c071c742ce9a00c6
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e628e2811a27ca94118fd08094439651a98128a7bf5393e554db7e83db93eaa5
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 00E0E532F141184BCB0C9668E4145EDB776EBC8221B11803AD816A3340EF705D0DCBD1
                                                                                                                                                                                                                                                                            Function 06DC17F0 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000A.00000003.1298633148.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_3_6dc0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 692b7c591b5daa65f2de9df85aef1b89e25a17a3c9f1444398c2a5d0b49f613f
                                                                                                                                                                                                                                                                            • Instruction ID: e74dd5e2a8b3c43fe8709ef5dd5715622576fbaa6676be0b18465901349103bb
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 692b7c591b5daa65f2de9df85aef1b89e25a17a3c9f1444398c2a5d0b49f613f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F5E02B3721D1949FC3061F61E8550957F74EF0A2203094067E8808B361CD634D26C7E0
                                                                                                                                                                                                                                                                            Function 06DC2590 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000A.00000003.1298633148.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_3_6dc0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 273dc4d9a6b941e0eea53aa0b49ad9142cc4474b2ef73d455c1ffcb88567ff89
                                                                                                                                                                                                                                                                            • Instruction ID: bfc704315dbda0c7792814be0d3854357aad5a6c66c319f985e2259373f28cd3
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 273dc4d9a6b941e0eea53aa0b49ad9142cc4474b2ef73d455c1ffcb88567ff89
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 74E0C23000E3004FC3169BB8F9195897FA1DF4270030388ABD4C08F22AEE205C8E87D1
                                                                                                                                                                                                                                                                            Function 06DC2A58 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000A.00000003.1298633148.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_3_6dc0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 13b210686589015e770e3d0b9f918c110463e3209cca749df670c6c221eeb725
                                                                                                                                                                                                                                                                            • Instruction ID: 0981fe9352d9955a369892cdcdfc4addaf8b820d70a60b41844156ab70d5f310
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 13b210686589015e770e3d0b9f918c110463e3209cca749df670c6c221eeb725
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7FE012B0D0420D9F8780EFB9890165ABBF4FB48614B1085ADC44CD7200F7729612CBD1
                                                                                                                                                                                                                                                                            Function 06DC0C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000A.00000003.1298633148.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_3_6dc0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: cd0d722f27ca6536f1ff69afccd5354798a9f67a057fc54247a9e4f03071096c
                                                                                                                                                                                                                                                                            • Instruction ID: 01c03676d0a236e72445d8d023072491fda4448cc88587965942c4cc4f4d0978
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cd0d722f27ca6536f1ff69afccd5354798a9f67a057fc54247a9e4f03071096c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F5D0A73221411DAB52446718DE4596A7BA9EB843707514437F94193224CD61EC1483E5
                                                                                                                                                                                                                                                                            Function 06DC0440 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000A.00000003.1298633148.0000000006DC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_10_3_6dc0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 451f6023658aabd78f536f0969c86f73014c7ed28ef408d9c6a95d65c59dc6ce
                                                                                                                                                                                                                                                                            • Instruction ID: 8052e856d612186f079a4912bc607a02007dfb5b34f26969b77171b3613cedf9
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 451f6023658aabd78f536f0969c86f73014c7ed28ef408d9c6a95d65c59dc6ce
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B1D0123954E7C45FD30746580C94896BF60E93331838E42AAD0C08A016D15A0A6BC3A1

                                                                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                                                                            Function 074571D0 Relevance: 8.6, Strings: 6, Instructions: 1070COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359408027.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7450000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: Pl_q$Pl_q$Pl_q$Pl_q$Pl_q$x dq
                                                                                                                                                                                                                                                                            • API String ID: 0-2995976623
                                                                                                                                                                                                                                                                            • Opcode ID: 7c3ff37da858767991a89ca0ff915c1a81fde21fc606c22cbc5b2de1b32c54d8
                                                                                                                                                                                                                                                                            • Instruction ID: 2cf24aa7194794ee54aa9b3e4d4968f817a9823535bf583935cfd8e7248aff97
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7c3ff37da858767991a89ca0ff915c1a81fde21fc606c22cbc5b2de1b32c54d8
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 74927074740205CFDB15DF69C584AAEBBF2BF89310F25846AE8469B366DB34EC41CB90
                                                                                                                                                                                                                                                                            Function 07450040 Relevance: 1.7, Strings: 1, Instructions: 471COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359408027.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7450000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: \;_q
                                                                                                                                                                                                                                                                            • API String ID: 0-2457888070
                                                                                                                                                                                                                                                                            • Opcode ID: 35ca301aa2df1aa6a0e0ad4e13a0463432511db58363509abca85c6e2d2561c2
                                                                                                                                                                                                                                                                            • Instruction ID: 2afe2ab22853e51b631406a5837fffc618e99b86de97ca681dbb9e3e3bdbe9a1
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 35ca301aa2df1aa6a0e0ad4e13a0463432511db58363509abca85c6e2d2561c2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CC22AF74A1061ACFDB10DF78C8546DDB7B5FF89300F1186AAE809AB361EB74E985CB50
                                                                                                                                                                                                                                                                            Function 0737746A Relevance: 20.9, Strings: 16, Instructions: 923COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: aq$$&`q$(__q$4'_q$4'_q$4'_q$4'_q$4c_q$4c_q$@b_q$|-`q$$_q$$_q$c_q$c_q$aq
                                                                                                                                                                                                                                                                            • API String ID: 0-1497698772
                                                                                                                                                                                                                                                                            • Opcode ID: ba7d8b021ace21fb81760a28fbb51f20cc0617763cd69b14f0adf6ba1517187c
                                                                                                                                                                                                                                                                            • Instruction ID: e2fdbf1592e94f2ba1896b9330d4762cc9f6ec49b9ae9ae6599d909a593d2171
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ba7d8b021ace21fb81760a28fbb51f20cc0617763cd69b14f0adf6ba1517187c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5AA20674A40228DFDB259F60C991AEEBBB2FF49300F1045EAD50A6B264DB355E85CF81
                                                                                                                                                                                                                                                                            Function 0737743D Relevance: 20.9, Strings: 16, Instructions: 898COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: aq$$&`q$(__q$4'_q$4'_q$4'_q$4'_q$4c_q$4c_q$@b_q$|-`q$$_q$$_q$c_q$c_q$aq
                                                                                                                                                                                                                                                                            • API String ID: 0-1497698772
                                                                                                                                                                                                                                                                            • Opcode ID: a344ff87cc911d83855d28fb358e0598c06fcc845ab9391a101394876b34fc84
                                                                                                                                                                                                                                                                            • Instruction ID: d40f74b7078f21915c460ada2e45c58e474d138b0d23531632eab436dff51156
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a344ff87cc911d83855d28fb358e0598c06fcc845ab9391a101394876b34fc84
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D9A20674A4022CDFDB259F60C985AEEBBB2FF49300F1045EAD50A6B264DB355E85CF81
                                                                                                                                                                                                                                                                            Function 073774C0 Relevance: 20.9, Strings: 16, Instructions: 867COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: aq$$&`q$(__q$4'_q$4'_q$4'_q$4'_q$4c_q$4c_q$@b_q$|-`q$$_q$$_q$c_q$c_q$aq
                                                                                                                                                                                                                                                                            • API String ID: 0-1497698772
                                                                                                                                                                                                                                                                            • Opcode ID: 35f323b5cf8ffa60d63fadeffd6cb57567fcc29d7a04a03dad9b7622b2510866
                                                                                                                                                                                                                                                                            • Instruction ID: 404c1df691af986ec3db36491bd494d862d59eb66d7b378abf209dcb75f0ef2b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 35f323b5cf8ffa60d63fadeffd6cb57567fcc29d7a04a03dad9b7622b2510866
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6392E574A4022CDFDB259F60C985AEEBBB2FF49300F1045EAD50A6B264DB355E85CF81
                                                                                                                                                                                                                                                                            Function 0737B688 Relevance: 6.5, Strings: 5, Instructions: 226COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq$\;_q$l;s$?s$|^q
                                                                                                                                                                                                                                                                            • API String ID: 0-4021651019
                                                                                                                                                                                                                                                                            • Opcode ID: 0c3b7778d230c2207a1df242e644ef5ee0937b2a271f8bfc9b545b05c559fbf5
                                                                                                                                                                                                                                                                            • Instruction ID: 45b0ab8f9bf69ea7cc582ee493a2f318ca8dae35ca362e3648ee3700d1b8de66
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0c3b7778d230c2207a1df242e644ef5ee0937b2a271f8bfc9b545b05c559fbf5
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4561C8F9B4015A9BE724966E855067FF7BBBFC4754B10802AD80ADB758DE38CC02C7A1
                                                                                                                                                                                                                                                                            Function 0737BAD8 Relevance: 3.9, Strings: 3, Instructions: 193COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq$(cq$(cq
                                                                                                                                                                                                                                                                            • API String ID: 0-33047009
                                                                                                                                                                                                                                                                            • Opcode ID: f3ec65e41d07534ca77aff9e2bc2ced595a85ee8ef0713d852c44e6c1498ef0f
                                                                                                                                                                                                                                                                            • Instruction ID: f0a13b929d2b1d3c1597c90d0d841cbd5bd97f32962a81b9bc091a686e2638b0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f3ec65e41d07534ca77aff9e2bc2ced595a85ee8ef0713d852c44e6c1498ef0f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B951F3B57401168FEB14DF3DD49496EBBEAEF8425071480AAE90ACB360EF39EC01C795
                                                                                                                                                                                                                                                                            Function 073785C0 Relevance: 2.9, Strings: 2, Instructions: 440COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq$d
                                                                                                                                                                                                                                                                            • API String ID: 0-2114257692
                                                                                                                                                                                                                                                                            • Opcode ID: 2cdc60b50df7c225cf4ed76680e41c6117311aa14c65904a3f8dcfc0cfb70e82
                                                                                                                                                                                                                                                                            • Instruction ID: accb4bf894e38462e380fef49a246636a2ebeebfde6970ff9f1b913bca7b3bfe
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2cdc60b50df7c225cf4ed76680e41c6117311aa14c65904a3f8dcfc0cfb70e82
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C0029DB4B006068FE720CF19C4849AABBF2FF89314B15C669D45A9B765DB34FC46CB90
                                                                                                                                                                                                                                                                            Function 07376C20 Relevance: 2.8, Strings: 2, Instructions: 336COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq$|7s
                                                                                                                                                                                                                                                                            • API String ID: 0-3792521395
                                                                                                                                                                                                                                                                            • Opcode ID: f4e9d072f8c4510a063bf8cfbb423bb209d3c820f2934a4159ffa81655e32f2e
                                                                                                                                                                                                                                                                            • Instruction ID: d6e10a330ddf8cc5f48ad0fe6ed39f1aadc12aa3da8c4943585bd345966b2598
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f4e9d072f8c4510a063bf8cfbb423bb209d3c820f2934a4159ffa81655e32f2e
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5EC1D4B4B00616CFD728DF79C494A6E7BE6BF88710B248869E54A9B754DF34EC01CB81
                                                                                                                                                                                                                                                                            Function 07371630 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: $_q$$_q
                                                                                                                                                                                                                                                                            • API String ID: 0-458585787
                                                                                                                                                                                                                                                                            • Opcode ID: 10d7b6804be0b4e9ca0f344888b30b9532b1d94a8a9f233cc487638fe8c56ef2
                                                                                                                                                                                                                                                                            • Instruction ID: d89d58cb3096f0f03ee723af33fe3304364d3274b0bff6ffb4ac5cbcfeabb6c4
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 10d7b6804be0b4e9ca0f344888b30b9532b1d94a8a9f233cc487638fe8c56ef2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3B51C3B2B002499FE729DF78D8506AEBBF6FFC9350B14812AD408DB364DA349D06C791
                                                                                                                                                                                                                                                                            Function 0737A228 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq$(cq
                                                                                                                                                                                                                                                                            • API String ID: 0-4121650363
                                                                                                                                                                                                                                                                            • Opcode ID: 7b0db706da19dbff6594d2216fbda862449268b20c4af12e61b7e3ab3e9630dc
                                                                                                                                                                                                                                                                            • Instruction ID: 8a1fbdf129756e38bb94553982e3f4fdac2f079cadabd0dcdb479193d7541061
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7b0db706da19dbff6594d2216fbda862449268b20c4af12e61b7e3ab3e9630dc
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 86412874B042459FE715CF68C895B9E7FF2EF89310F248099D849AB381CB39AD02CB91
                                                                                                                                                                                                                                                                            Function 07374EC0 Relevance: 2.6, Strings: 2, Instructions: 143COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq$4'_q
                                                                                                                                                                                                                                                                            • API String ID: 0-1561623490
                                                                                                                                                                                                                                                                            • Opcode ID: 874c0b3a4b39f5febbbb403a7b54cee0dc8ed177feb7f44261417174fc0ff246
                                                                                                                                                                                                                                                                            • Instruction ID: b475054f6f05e9c85c7213e590caee8e7a659947ccc85b2b962512d835cbd1d9
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 874c0b3a4b39f5febbbb403a7b54cee0dc8ed177feb7f44261417174fc0ff246
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F541D174B002558FCB18EF38C49066E7BA2BFC434072089AAD4098F399EF34DD06C791
                                                                                                                                                                                                                                                                            Function 073730EC Relevance: 2.6, Strings: 2, Instructions: 136COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq$LR_q
                                                                                                                                                                                                                                                                            • API String ID: 0-2711968010
                                                                                                                                                                                                                                                                            • Opcode ID: 99a874c82b9557aab0ca6ca69efdfd795132ee33567571a5b086a78ae7f87c26
                                                                                                                                                                                                                                                                            • Instruction ID: 867e91730b953d0ad45d123a396cfa789789ae80fb208a2dbb4a77a0ec91bf3c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 99a874c82b9557aab0ca6ca69efdfd795132ee33567571a5b086a78ae7f87c26
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A44115B0B042969FEB199B38985477E3AA7EBC5610F04846DE40ACB395DE38CD05C391
                                                                                                                                                                                                                                                                            Function 0737EA88 Relevance: 2.6, Strings: 2, Instructions: 122COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq$T;s
                                                                                                                                                                                                                                                                            • API String ID: 0-3422692073
                                                                                                                                                                                                                                                                            • Opcode ID: a744364fe133b4f22f52f4e17593f0a1166c9917befb94e24a50e35322f2e3e8
                                                                                                                                                                                                                                                                            • Instruction ID: 869f2e3466bb995223fe4ba4cb00b8dc5ab4f2fbf664d26455771c92fc3e9cd0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a744364fe133b4f22f52f4e17593f0a1166c9917befb94e24a50e35322f2e3e8
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4F3112B5B402164FEB18DA7ED49196EBBA6FFC46507204179E50ACB390EE38DC01CBA1
                                                                                                                                                                                                                                                                            Function 0737E1F0 Relevance: 1.6, Strings: 1, Instructions: 327COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (Adq
                                                                                                                                                                                                                                                                            • API String ID: 0-319377459
                                                                                                                                                                                                                                                                            • Opcode ID: f31000184c7b8856e27c61391ef6b31fcc636a171314901e53a8618c265f6596
                                                                                                                                                                                                                                                                            • Instruction ID: 96b8a0e9c0a9708101c26a0bd758deb343650ac749f04a6e713deb136e99b546
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f31000184c7b8856e27c61391ef6b31fcc636a171314901e53a8618c265f6596
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 80C182B4B5021ADFEB24DF69D554AAEBBB6BF84300F144069D406EB394EF389C06CB51
                                                                                                                                                                                                                                                                            Function 073799B8 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq
                                                                                                                                                                                                                                                                            • API String ID: 0-301743287
                                                                                                                                                                                                                                                                            • Opcode ID: 905c9b5fe19d069af6259a2d6ba8919a625b069070b6e8ba145670d405ca8682
                                                                                                                                                                                                                                                                            • Instruction ID: ec7d0b69feed5b5e4b81f0e0666dcf78b23e251ab8b9eed1d42baf683c21ceb1
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 905c9b5fe19d069af6259a2d6ba8919a625b069070b6e8ba145670d405ca8682
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 87E12A74A0035A8FDB15CF68C888A9DBBF2FF89300F158295D849AB365DB74ED45CB90
                                                                                                                                                                                                                                                                            Function 07459FD0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 07459FF8
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359408027.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7450000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID: 6842923-0
                                                                                                                                                                                                                                                                            • Opcode ID: 6b7a95cbfe14745684b1a5b891778ab1c35772fe39e18682628e6a19c40487a2
                                                                                                                                                                                                                                                                            • Instruction ID: af9c56911c38bb01a90f3051b1236b2d5a9e2788053810add7b370d00e15f922
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6b7a95cbfe14745684b1a5b891778ab1c35772fe39e18682628e6a19c40487a2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AE116AB1B11245DFEB14CE34D4403EE7FA6DB4A764F14C65ADD0163292EA369809CB90
                                                                                                                                                                                                                                                                            Function 07459FE0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 07459FF8
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359408027.0000000007450000.00000040.00000800.00020000.00000000.sdmp, Offset: 07450000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7450000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID: 6842923-0
                                                                                                                                                                                                                                                                            • Opcode ID: eb13efee850f098ce6444d0496de0bc4a325edec61f5a9a061d8d80f9462833f
                                                                                                                                                                                                                                                                            • Instruction ID: 93f58cf8b00c8d90359861e4d615224f0ff39d1b9cd7244853e71ee10a44e322
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: eb13efee850f098ce6444d0496de0bc4a325edec61f5a9a061d8d80f9462833f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 15118071B10205DFEB10CE34D4403DE7BB5EB89768F14C626DE15A3381E7369909CB50
                                                                                                                                                                                                                                                                            Function 0737BE40 Relevance: 1.5, Strings: 1, Instructions: 273COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: Quk^
                                                                                                                                                                                                                                                                            • API String ID: 0-574571944
                                                                                                                                                                                                                                                                            • Opcode ID: 4ddcf393a82234fe4e6b81662415e16789609f16396480c5ef3f93dd6333245b
                                                                                                                                                                                                                                                                            • Instruction ID: 7d23e86f1b0a8625a179b554bbd901eb477a9dfd02a0a91652b0c9edfcbbf7d4
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4ddcf393a82234fe4e6b81662415e16789609f16396480c5ef3f93dd6333245b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 36B172B87006068FEB15DF38D59596EBBF6FF88300B048569E94A8B365DB34EC06CB51
                                                                                                                                                                                                                                                                            Function 07371080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq
                                                                                                                                                                                                                                                                            • API String ID: 0-301743287
                                                                                                                                                                                                                                                                            • Opcode ID: d4ab284f34c88ab29ff6a803cb236933e3d242e726f9de9dc4099b3b6c36a69b
                                                                                                                                                                                                                                                                            • Instruction ID: 74a5bd7135991f2f7d16ba2642933543a19014161d0f196084c3545c694c4d3f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d4ab284f34c88ab29ff6a803cb236933e3d242e726f9de9dc4099b3b6c36a69b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9C71B775B00219DFEB18AB75C854A6E77A7EFC8310F148429E50AEB3A4DE39DD02C751
                                                                                                                                                                                                                                                                            Function 0737BE33 Relevance: 1.4, Strings: 1, Instructions: 194COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: Quk^
                                                                                                                                                                                                                                                                            • API String ID: 0-574571944
                                                                                                                                                                                                                                                                            • Opcode ID: 7148fd1b3121243cca4394f8264fdfa01685e02c6df1f57771e2aa724a5dca20
                                                                                                                                                                                                                                                                            • Instruction ID: 1eca0202cb8de666da1b4beb54c80097a519dd5fd1bec3a8a1d55c6003c5f7bf
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7148fd1b3121243cca4394f8264fdfa01685e02c6df1f57771e2aa724a5dca20
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 75716EB8B006168FDB15DF38D59496EFBF6FF88300B048669E94A8B355DB34E805CB91
                                                                                                                                                                                                                                                                            Function 07376048 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq
                                                                                                                                                                                                                                                                            • API String ID: 0-301743287
                                                                                                                                                                                                                                                                            • Opcode ID: 2d2eee7840da970dddccf694d776dd2e1abe02a7854828f52898960e2a5420b3
                                                                                                                                                                                                                                                                            • Instruction ID: 2d9fa6975476f5d161e4a7073fcf307dd9b46bd98dba8529c532d7f4c416d930
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2d2eee7840da970dddccf694d776dd2e1abe02a7854828f52898960e2a5420b3
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A1713DB8A00319AFDB05EBE4C8506DEBFB2EF89310F144429D20A6B7A4DE356D45CB51
                                                                                                                                                                                                                                                                            Function 073768E0 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq
                                                                                                                                                                                                                                                                            • API String ID: 0-301743287
                                                                                                                                                                                                                                                                            • Opcode ID: 639bca8decafa5bdf3659b7afa9bb07ece9af2a017c03b6dd8323535d4bfc428
                                                                                                                                                                                                                                                                            • Instruction ID: de5e781430887bca2d60da694dda1452e25cc102156bec8b4a9f160f738dd2c3
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 639bca8decafa5bdf3659b7afa9bb07ece9af2a017c03b6dd8323535d4bfc428
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B6614D7AB006059FDB11CF69C88099ABBF6FF8D350B1580AAE549DB321DB31ED15CB90
                                                                                                                                                                                                                                                                            Function 0737E7D8 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: L<s
                                                                                                                                                                                                                                                                            • API String ID: 0-1978672643
                                                                                                                                                                                                                                                                            • Opcode ID: 8ad551d46574b02d6682545f58826f4a7b65d9d1373e4ebff508360485877854
                                                                                                                                                                                                                                                                            • Instruction ID: aa1dc2df0055fcf6d241ba546b098b042bf21a1751e86dccd4298bd357b0bbf5
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8ad551d46574b02d6682545f58826f4a7b65d9d1373e4ebff508360485877854
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A061C1B1B4020A9FDB14DF69D595BAE77F6BF88640F148029D40AEB394DF789C01CB91
                                                                                                                                                                                                                                                                            Function 0737BE30 Relevance: 1.4, Strings: 1, Instructions: 173COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: Quk^
                                                                                                                                                                                                                                                                            • API String ID: 0-574571944
                                                                                                                                                                                                                                                                            • Opcode ID: c05b16c4e3141ecbcf15d8793198d4fd5875eebbefedef63fcdc29695bdb43aa
                                                                                                                                                                                                                                                                            • Instruction ID: 4bbc041e5404e178b39e7cf955c5c6213ebdb585f5d7f27504009135a00c8ace
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c05b16c4e3141ecbcf15d8793198d4fd5875eebbefedef63fcdc29695bdb43aa
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DF616FB8B006028FDB15DF34D59496EFBF6FF88300B048669E94A8B365DB34E845CB91
                                                                                                                                                                                                                                                                            Function 07376BF1 Relevance: 1.4, Strings: 1, Instructions: 165COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: |7s
                                                                                                                                                                                                                                                                            • API String ID: 0-106565823
                                                                                                                                                                                                                                                                            • Opcode ID: 4708f0c7ecd3b8db1f4ab68c5d31d1c73fe52140eb7779c13856ba819a6bd591
                                                                                                                                                                                                                                                                            • Instruction ID: 4ff7164d6869d625802f2ba2a8e791eb171904f441e4ce86eb1c957dd2897fed
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4708f0c7ecd3b8db1f4ab68c5d31d1c73fe52140eb7779c13856ba819a6bd591
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2551DD74B006068FCB15DB78C995AAEBBF2FF84310B148169E449DB3A5DB34EC05CB91
                                                                                                                                                                                                                                                                            Function 07370E8C Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq
                                                                                                                                                                                                                                                                            • API String ID: 0-301743287
                                                                                                                                                                                                                                                                            • Opcode ID: 790bc922f820c61efefbc16f77cc2534ab61c4a87cf4e2d45e686df7c8aa8200
                                                                                                                                                                                                                                                                            • Instruction ID: b0653d11070a31d5dd818e30556d8a779741ac4fe821c69f275269be411ee3ab
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 790bc922f820c61efefbc16f77cc2534ab61c4a87cf4e2d45e686df7c8aa8200
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5F4119B1B401195BF728A67998A177F77A7EFC8211F14842DD90AE7380CE399C02C7A2
                                                                                                                                                                                                                                                                            Function 0737C4D8 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq
                                                                                                                                                                                                                                                                            • API String ID: 0-301743287
                                                                                                                                                                                                                                                                            • Opcode ID: 98ef84974b3ff7ba7491b11c9f9f9d7746cc0c3ed29ad3b107115ab93142c1d1
                                                                                                                                                                                                                                                                            • Instruction ID: 12d6d1b511072aee36ea21275d7b07b11d5e0d395c2d86fdf1d218cea766ad52
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 98ef84974b3ff7ba7491b11c9f9f9d7746cc0c3ed29ad3b107115ab93142c1d1
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 545117743047428FD725DB35D494A6ABBFAEFC5310B08C669D44A8B766CA38EC06C7A0
                                                                                                                                                                                                                                                                            Function 0737E428 Relevance: 1.4, Strings: 1, Instructions: 133COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (Adq
                                                                                                                                                                                                                                                                            • API String ID: 0-319377459
                                                                                                                                                                                                                                                                            • Opcode ID: 515e64efb0a307354999eb503a5bd1c25ff82dc95349788147fd3c4af3639fba
                                                                                                                                                                                                                                                                            • Instruction ID: c3cd5b8ac7a56e4020ae2bde1e1dc87a7b2cbfe2f4fbdcf30770082b2f0a0935
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 515e64efb0a307354999eb503a5bd1c25ff82dc95349788147fd3c4af3639fba
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 254193B0B50216DFEB24DF65D854AAEBBF6BF88250F144169E406AB354EF389C01CF91
                                                                                                                                                                                                                                                                            Function 0737E7C7 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: L<s
                                                                                                                                                                                                                                                                            • API String ID: 0-1978672643
                                                                                                                                                                                                                                                                            • Opcode ID: 2e7c0b48e1145a039d3b0ff3300a2f5efd9060b8c4236bd76f02510f1231a287
                                                                                                                                                                                                                                                                            • Instruction ID: a81eab7a63fd21ebc47d7c437619b7b1aef95cb832fdee5284ab277dea59f57a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2e7c0b48e1145a039d3b0ff3300a2f5efd9060b8c4236bd76f02510f1231a287
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EE41D371B402099FDB14DB79D594BAEB7F6BF88650B248429D006EB380DF799C06CBA1
                                                                                                                                                                                                                                                                            Function 073785B0 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq
                                                                                                                                                                                                                                                                            • API String ID: 0-301743287
                                                                                                                                                                                                                                                                            • Opcode ID: 088fb4c4a3df3e8dc24063909ed55a325d98357ed07fb4a9fd57636de11a9eae
                                                                                                                                                                                                                                                                            • Instruction ID: 824d68ee8e303dcaf3de2f3156dd000f765ea532e00e19071a081cb141df1f71
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 088fb4c4a3df3e8dc24063909ed55a325d98357ed07fb4a9fd57636de11a9eae
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 20417CB4B006058FEB24CF59C4849AAFBF2FF89320B15C6A9D45A9B751DB34EC41CB94
                                                                                                                                                                                                                                                                            Function 07374E90 Relevance: 1.4, Strings: 1, Instructions: 109COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: 4'_q
                                                                                                                                                                                                                                                                            • API String ID: 0-2033115326
                                                                                                                                                                                                                                                                            • Opcode ID: 15e7c4b9a44d5c498b4ae9a95d4d58c8f05206273337de51346648825c8cbf4a
                                                                                                                                                                                                                                                                            • Instruction ID: 582ff0a407e2fb760c7f2a404f645b782473d1f00e29af2e191568b0e6fd27ce
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 15e7c4b9a44d5c498b4ae9a95d4d58c8f05206273337de51346648825c8cbf4a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1C31A5B56003469FDB15DF68D880A9E7BA2FF85314B1045AAE4488F256DB34E909C7D1
                                                                                                                                                                                                                                                                            Function 07374E4B Relevance: 1.4, Strings: 1, Instructions: 100COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: 4'_q
                                                                                                                                                                                                                                                                            • API String ID: 0-2033115326
                                                                                                                                                                                                                                                                            • Opcode ID: 6da393efaff3246781552f698f1cda951954ae58c1be652fca2daf67dee87646
                                                                                                                                                                                                                                                                            • Instruction ID: 0fca04d9b64d8b0ae8bd13d1ae108a19a5b795e6d1a2518a5d5eb53301e781df
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6da393efaff3246781552f698f1cda951954ae58c1be652fca2daf67dee87646
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4D31A3B5B0020ADFDB14DF68D880A9EB7A6FF84314B108569E5088F355EB30E90ACBD1
                                                                                                                                                                                                                                                                            Function 07370C1C Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq
                                                                                                                                                                                                                                                                            • API String ID: 0-301743287
                                                                                                                                                                                                                                                                            • Opcode ID: dff66503c2ed185ee189384298a27a8ec40ae72bcc42d6e97d5d328c541e50a7
                                                                                                                                                                                                                                                                            • Instruction ID: aed2b33cf440de301021a12f1f1a649a736d61f95b18485bcba2412e7437da75
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dff66503c2ed185ee189384298a27a8ec40ae72bcc42d6e97d5d328c541e50a7
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8331E471B043499BF729A778886436E7BA79BCA310F14846AD50AEB385CE7D5C01C792
                                                                                                                                                                                                                                                                            Function 07373719 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: LR_q
                                                                                                                                                                                                                                                                            • API String ID: 0-2241839734
                                                                                                                                                                                                                                                                            • Opcode ID: f5d91f22e6954ba340786717fbdd845823fae8843e0b2638f3eda38d254867d1
                                                                                                                                                                                                                                                                            • Instruction ID: 0819bbd58299b6caf202636eb9972eabd8f9350f373e2fd1e8a0c4bbb4e76774
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f5d91f22e6954ba340786717fbdd845823fae8843e0b2638f3eda38d254867d1
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3B21D3F17012969FEB28CA34984577F77EAEF86615F10442DE40ACB294EB388905D751
                                                                                                                                                                                                                                                                            Function 073745C8 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq
                                                                                                                                                                                                                                                                            • API String ID: 0-301743287
                                                                                                                                                                                                                                                                            • Opcode ID: 734dc18aa4802c1129404511303a8b0b7e03477bfdeecc1c83d38cb64eb2d04c
                                                                                                                                                                                                                                                                            • Instruction ID: 50c89dc5a3c93bab8879d81f38a52fec5ae441d6f3584b0fbf8cf5dd5534dab1
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 734dc18aa4802c1129404511303a8b0b7e03477bfdeecc1c83d38cb64eb2d04c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2A2105B53002419FD720DB2CE44086A7BEBEFCA32075880AAE549CB361DE29EC06C790
                                                                                                                                                                                                                                                                            Function 0737AF10 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: \;_q
                                                                                                                                                                                                                                                                            • API String ID: 0-2457888070
                                                                                                                                                                                                                                                                            • Opcode ID: 5a7f57b134cf70964f82c797672cabc563bec127ceffeace40a5f314ee32d5fc
                                                                                                                                                                                                                                                                            • Instruction ID: df2875f00edd07b2e19667ae6427238d52a04a1896280887ade2802f722c0d76
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5a7f57b134cf70964f82c797672cabc563bec127ceffeace40a5f314ee32d5fc
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7311A3B63052054FAB289AAEA88495FB7DEEFC8265714C03BE50EC7759DE65EC018350
                                                                                                                                                                                                                                                                            Function 07375F46 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: LR_q
                                                                                                                                                                                                                                                                            • API String ID: 0-2241839734
                                                                                                                                                                                                                                                                            • Opcode ID: 2b7feab9f820abe5579276e95f171e018b170cb79e76dc2009adf9a35980c649
                                                                                                                                                                                                                                                                            • Instruction ID: c7db5cbe615cf859b52bff0d48dbe993283ef4db04894913ff4ede3c26a6d288
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2b7feab9f820abe5579276e95f171e018b170cb79e76dc2009adf9a35980c649
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8921C074B10108DFDB189F69C455AAE7BF6EF8C750F10801AE506AB3A0DE745D01CB91
                                                                                                                                                                                                                                                                            Function 07375F48 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: LR_q
                                                                                                                                                                                                                                                                            • API String ID: 0-2241839734
                                                                                                                                                                                                                                                                            • Opcode ID: 56260e2eac170dfb852bc885e7567995ed60234d399370fc81a8c27006a20280
                                                                                                                                                                                                                                                                            • Instruction ID: 718b19510b08a5352bd9d1d25d6cbde75354fa92bde74a8092754e32db19a3d2
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 56260e2eac170dfb852bc885e7567995ed60234d399370fc81a8c27006a20280
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7D21A174B10108DFDB189F69C455AAEBBFAFF8C750F10801AE506AB3A0DE745C01CB91
                                                                                                                                                                                                                                                                            Function 07373370 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: fdq
                                                                                                                                                                                                                                                                            • API String ID: 0-3955173561
                                                                                                                                                                                                                                                                            • Opcode ID: d31e83d3c7ef8ddf5ffe03f05cc0a8675ed834727d4c77fc4545284f9e2a703b
                                                                                                                                                                                                                                                                            • Instruction ID: 0854a0ae8f707f752f116eefb408a0b226efd9173ad4eeb88bc0f79ab88b4b8a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d31e83d3c7ef8ddf5ffe03f05cc0a8675ed834727d4c77fc4545284f9e2a703b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AD11C475B011199FDB08AF74A4449BFBBBBFBC8741B10802AF909C7240DB388E06DB91
                                                                                                                                                                                                                                                                            Function 07373380 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: fdq
                                                                                                                                                                                                                                                                            • API String ID: 0-3955173561
                                                                                                                                                                                                                                                                            • Opcode ID: 2a9acb83d657ffab4f3978a21bd8baf882cc8e7e7bdddd3138cab5086275e3ff
                                                                                                                                                                                                                                                                            • Instruction ID: 68d1faba1e983e870c7b959e6af7fe2a3f5ad8ec3e56d78050df8332cc04ff02
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2a9acb83d657ffab4f3978a21bd8baf882cc8e7e7bdddd3138cab5086275e3ff
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1A118675B001195FDB08AFB5A8449BF7AABF788751F008029F909D7340DA384D068791
                                                                                                                                                                                                                                                                            Function 073757B8 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq
                                                                                                                                                                                                                                                                            • API String ID: 0-301743287
                                                                                                                                                                                                                                                                            • Opcode ID: 67046db88924f3dd90f35512f0e497b6780110c47296b5af16e99b901abd1f98
                                                                                                                                                                                                                                                                            • Instruction ID: a2acd42aee88bae6b6e471ac11e54f922306831e812fadfe7c3780f8258a6996
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 67046db88924f3dd90f35512f0e497b6780110c47296b5af16e99b901abd1f98
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6F01D4353042414FD7159B3DD85096E3BD79FC525075844BAD149CF756EE29EC06C351
                                                                                                                                                                                                                                                                            Function 0737EA75 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: T;s
                                                                                                                                                                                                                                                                            • API String ID: 0-676690661
                                                                                                                                                                                                                                                                            • Opcode ID: 187dc9933e7dbc76202f740c9e6d71279663bed5d541f8a126a955d0c8e5aaa3
                                                                                                                                                                                                                                                                            • Instruction ID: 68dbc861fca0f8ab625bd6ae2a61790d14e6f0ca00fe2398ae0a478a1f904acf
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 187dc9933e7dbc76202f740c9e6d71279663bed5d541f8a126a955d0c8e5aaa3
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A0F024363083000FC709526EA4519AABBFAFBCA56036900ABE149C7352DC2A9C0787B2
                                                                                                                                                                                                                                                                            Function 0737E3EB Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: C8
                                                                                                                                                                                                                                                                            • API String ID: 0-816706217
                                                                                                                                                                                                                                                                            • Opcode ID: 801dbc59b563fa7be153bf5ee7ae27472908281f8fcc6e01614e88436d7a6743
                                                                                                                                                                                                                                                                            • Instruction ID: 011b933e88ce3e96bb41e8ba71feb63f6b0ca533de81e1ea4ccbb2ec205f0e31
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 801dbc59b563fa7be153bf5ee7ae27472908281f8fcc6e01614e88436d7a6743
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BE0126FA7402225FE7159A58884077D3367EBC4750F10805AD64A5B744DB796C06C7C0
                                                                                                                                                                                                                                                                            Function 0737E36A Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: C8
                                                                                                                                                                                                                                                                            • API String ID: 0-816706217
                                                                                                                                                                                                                                                                            • Opcode ID: 38909b136c642a8ac5ad22ee96ef7fbc04c7b8a74e84f1eb2ebdf1e7b565e50a
                                                                                                                                                                                                                                                                            • Instruction ID: f8deb55faa54b8fb3adca90a7359722b89277df8263c2d81f2b21c80e3cdd4c0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 38909b136c642a8ac5ad22ee96ef7fbc04c7b8a74e84f1eb2ebdf1e7b565e50a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 95F028BAB802225FE7159658885077D3367FBC46A0F14806AD64A5F784DF756C06C7D0
                                                                                                                                                                                                                                                                            Function 073799A8 Relevance: .3, Instructions: 300COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 1e4aceca300c8c8916ad18ca2cd24cf19e5091345f2da048247cb1ca364aa44d
                                                                                                                                                                                                                                                                            • Instruction ID: aab10b15e109154e51c3e4f2d5566801b1f1968c51d44eac5bc913d387086967
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1e4aceca300c8c8916ad18ca2cd24cf19e5091345f2da048247cb1ca364aa44d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 43D12A74A0035A8FDB15CFA8C988B9DBBF2FF49300F158295D848AB265D774ED45CB50
                                                                                                                                                                                                                                                                            Function 0737576F Relevance: .2, Instructions: 221COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: abb2f1061b62c639d1e46a81e19a76f5ec3f880fc88c6adea8b1a9e855cd287c
                                                                                                                                                                                                                                                                            • Instruction ID: d767dd836d620c1019bffccbe88209c2d37a920a98aa379d9e170676b9bbe2f2
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: abb2f1061b62c639d1e46a81e19a76f5ec3f880fc88c6adea8b1a9e855cd287c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 505190B290E3C0DFD7178B34D8905817FB5AF4721170A81EBD4488F1A7E67D994ACB92
                                                                                                                                                                                                                                                                            Function 0737ABA0 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 9910fc543f561b00f40f9acdba39974d644123e579bd04b97c3df9d9b9608d53
                                                                                                                                                                                                                                                                            • Instruction ID: 3400e2e67f1481926bd1e9c75c8aa56181748e9f45dab56064abb2d044405254
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9910fc543f561b00f40f9acdba39974d644123e579bd04b97c3df9d9b9608d53
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6D512BB53541029FE7289F2DC59492E77FAAFCA651729C0A9E40ACB375DE38DC01CB41
                                                                                                                                                                                                                                                                            Function 0737B48F Relevance: .2, Instructions: 171COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 9cf45cc0f3febcf3866423def9174c83138edd4a0098d406a3850238941f7187
                                                                                                                                                                                                                                                                            • Instruction ID: 1f309591249c341842ca35d5afe1db678d797b6376b77368a3621ca55dd64680
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9cf45cc0f3febcf3866423def9174c83138edd4a0098d406a3850238941f7187
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0B51BEB550E3E15FE7039B389C605EA7F759F43211B0A40D7D580CF1B7D6288A49C7A6
                                                                                                                                                                                                                                                                            Function 07375483 Relevance: .2, Instructions: 150COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 65d820fe5d071492dd010081b74e2821c80becb312b7ef35b874ec786f447a28
                                                                                                                                                                                                                                                                            • Instruction ID: 132c4af49675a7da313f7943dcbb1af0cd4ca6ebdf75dd85bd3c2ce77c9fa0d1
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 65d820fe5d071492dd010081b74e2821c80becb312b7ef35b874ec786f447a28
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CF5181B8E0020AEFDB04EBE4D954AAEBB72FF88350F404419E616677A4CF391D15CB61
                                                                                                                                                                                                                                                                            Function 073760D9 Relevance: .1, Instructions: 148COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 9a4fa7f7483c1e1e5c645c72f3069202ffe66a1a1a849a71b3f2d2c0c6020eb5
                                                                                                                                                                                                                                                                            • Instruction ID: 794f3acb6ae9e1386a968304bfd02c0b1c58db11a81e35b9a1f2474cfb2f727d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9a4fa7f7483c1e1e5c645c72f3069202ffe66a1a1a849a71b3f2d2c0c6020eb5
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1B51CAB8E01208AFDF05EBE4C8A06DEBF72EF89310F144029D2196B7A4DE356D45DB91
                                                                                                                                                                                                                                                                            Function 073734A8 Relevance: .1, Instructions: 141COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: e626d83f86f86c18d345d6c058418848fc00e6b6dafb81cdf050800f93197337
                                                                                                                                                                                                                                                                            • Instruction ID: 6175403360488932c33aae6a4c068ddc6683d57d6361390a011bb01f5683aa08
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e626d83f86f86c18d345d6c058418848fc00e6b6dafb81cdf050800f93197337
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1C51A374741217AFCB05EB38E99096EB7A7FFC43447008629D5098B358EF78AD0A87D1
                                                                                                                                                                                                                                                                            Function 0737C9A8 Relevance: .1, Instructions: 141COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: dd963d3e7fd23ecf01a603ca32a39c391a01f5cbb3a1812c759c23f8a98cf35d
                                                                                                                                                                                                                                                                            • Instruction ID: f3b7673905924f2dc2f2fb5873aaada3dd2469e2629f45ea3fa88691150902a3
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dd963d3e7fd23ecf01a603ca32a39c391a01f5cbb3a1812c759c23f8a98cf35d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 014138A644E3E15FE7139B3899700EA3FB49E4321570A14D7D0D8CE5BBD51C894AC3BA
                                                                                                                                                                                                                                                                            Function 073734B8 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f9d9be38c0a55eac266341329775978e69b91f9f246b3538b5cabf78bc06c790
                                                                                                                                                                                                                                                                            • Instruction ID: 1e63f979c9b1673be27547fe4f0dc0c9497ffe7318aa40b4bf9f20ea419dd474
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f9d9be38c0a55eac266341329775978e69b91f9f246b3538b5cabf78bc06c790
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B1519474741217AFC708EB38E99096EB7A7FFC43447408629D60A9B358EF74AD0A87D1
                                                                                                                                                                                                                                                                            Function 07375490 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 86edfde0b858fdec91eb256995a255bb3076830287b73edf4269a2d3eda98570
                                                                                                                                                                                                                                                                            • Instruction ID: 8b31f11c6c4f0bd7d6a642a34f17d093719d9d320b3f3ede5f798650562c15fd
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 86edfde0b858fdec91eb256995a255bb3076830287b73edf4269a2d3eda98570
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1A513DB8E0020AEFDB04EBA4D994AAEBB72FF88350F504419E616677A4CF351D15CB61
                                                                                                                                                                                                                                                                            Function 0737B4FC Relevance: .1, Instructions: 134COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 09f341ad3513ba4189251c3bde869067ac87bdd24cca778c6b7519cef62579cb
                                                                                                                                                                                                                                                                            • Instruction ID: 743b0d7f7a5f2e869e43509fb7f3b8880ae15144af0babc4a6c2c4d934d80716
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 09f341ad3513ba4189251c3bde869067ac87bdd24cca778c6b7519cef62579cb
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A441A17564A3E09FD7039B349C605EA7F75AF43311B0A40E7D580CF1A7D6288A4AC7A6
                                                                                                                                                                                                                                                                            Function 0737B4F7 Relevance: .1, Instructions: 125COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 77fa4c0f37b2d28022863ac674ebf99e5fa7b4a157f152a8655642e2816fe6ed
                                                                                                                                                                                                                                                                            • Instruction ID: ca6c379d6e7d2aaa2817e5e7364e35447173ce15bcd836a14319d30603945fa9
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 77fa4c0f37b2d28022863ac674ebf99e5fa7b4a157f152a8655642e2816fe6ed
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8241E1B564A3E09FEB039B349C605EA3F759F43311B0940E7D580CF2A7DA388949C7A6
                                                                                                                                                                                                                                                                            Function 0737E1E0 Relevance: .1, Instructions: 113COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 2c58aa3cff06bb38b36bc539d7e0bca14fe1abe3c1a4af73dfce8963c7140e7b
                                                                                                                                                                                                                                                                            • Instruction ID: 5d796f930281473ac70ec40ec6d069967dc3ae08a9fb8322f024e6f06235cc04
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2c58aa3cff06bb38b36bc539d7e0bca14fe1abe3c1a4af73dfce8963c7140e7b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E64179B5E002098FDB14CFA9C48099EBBB6FF89310F248069E805AB365DB34ED46CB40
                                                                                                                                                                                                                                                                            Function 0737F699 Relevance: .1, Instructions: 108COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 8eb1d3feab6830254e524217cd019ddcccd73b26a1a56dc1e4e69d3005ce86be
                                                                                                                                                                                                                                                                            • Instruction ID: 7fbd9064dd2548ed82301477b251d9c0b610ae6bd9f872176e567dc8a232b806
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8eb1d3feab6830254e524217cd019ddcccd73b26a1a56dc1e4e69d3005ce86be
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3D41B4707042568FCB15DB78D885A6EBBFAFF89300B04456AE146CB366DB38DD05CB50
                                                                                                                                                                                                                                                                            Function 07372268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: e761c89eaa49cb03e3d04a0d4c8c4a948466eecd08f7f6b423c9b981c1405cdc
                                                                                                                                                                                                                                                                            • Instruction ID: 513928898501fc895b272e725f5bbf24e21c437cd54c75fb63cd4a92f5650dea
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e761c89eaa49cb03e3d04a0d4c8c4a948466eecd08f7f6b423c9b981c1405cdc
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AD411C75B00119DFDB54DF68D88099EBBB6FF88711B108169E909EB360DB35DD42CB90
                                                                                                                                                                                                                                                                            Function 0737F6A8 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 79d6c327f46966bccabc24dd9ac6d343926b9eac1b86f0d148ee1f15db1ff3a5
                                                                                                                                                                                                                                                                            • Instruction ID: 6c4f6fc4df38f1e3b6d90c9624195f298d33e6c8d7568ffdcb0971a5d4db265e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 79d6c327f46966bccabc24dd9ac6d343926b9eac1b86f0d148ee1f15db1ff3a5
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9241A3707002568FDB24DB38D888A6EBBFABF89340F044569E146CB366DB79E905CB50
                                                                                                                                                                                                                                                                            Function 0737B080 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ea4ccecbf5bb206837dde45c69021d9f1c2e8beaf62fbe93270f63759ecf9e2c
                                                                                                                                                                                                                                                                            • Instruction ID: a80af340ade5ec6222e8d2c5e8aee7622b3a3273ec37a48feb94d4e176c734a0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ea4ccecbf5bb206837dde45c69021d9f1c2e8beaf62fbe93270f63759ecf9e2c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E7318DB5B001068FEB20CA69D880AAEF7BAEF84251B18C17AD91DC7715DB34EC11CB91
                                                                                                                                                                                                                                                                            Function 0737AA39 Relevance: .1, Instructions: 100COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 1a5fb2d196f1bb086f5b31d2286d5ad934efab862d964cb33e6c83ce697a8fac
                                                                                                                                                                                                                                                                            • Instruction ID: 694b42894bbe50236912932a017dc893041d9a518654c2a78c39837603fda5af
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1a5fb2d196f1bb086f5b31d2286d5ad934efab862d964cb33e6c83ce697a8fac
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7C31C0B49093989FDB12EB7CD4A04EE7FB1AF4A310F0540D7D0859F262D6385E48CBA2
                                                                                                                                                                                                                                                                            Function 0737310C Relevance: .1, Instructions: 92COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 7c1ef53c0c454af5324d4d79a80470a4c47a2fcea73213ee100c362375f9967e
                                                                                                                                                                                                                                                                            • Instruction ID: ba3207f3334963df8a7e5f1a5f742a0cd9615e4bb71ae50af0fda6294b4cc9dc
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7c1ef53c0c454af5324d4d79a80470a4c47a2fcea73213ee100c362375f9967e
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 72210A722563AAAFFB22267468113F67F59DF43221F104073E94CDA151DA2D8896E391
                                                                                                                                                                                                                                                                            Function 0737C558 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: d6e084468f27e405dd07babe08fcb2533cd9d51c2daae1db0c4ac9c91062a4aa
                                                                                                                                                                                                                                                                            • Instruction ID: a85bd54bc2afe52e54448b1123ee091cfc706e4b5c060866f97e6dd17e474d51
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d6e084468f27e405dd07babe08fcb2533cd9d51c2daae1db0c4ac9c91062a4aa
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 56318F75200602CFD725DF35D594926FBFAFF89311B08D668D44A8B666CB34E846CBA0
                                                                                                                                                                                                                                                                            Function 07376702 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 72937794bfe8e6fecba6f40f4378d60c78d302e4ae02fe92b2fd2d00d501c8b1
                                                                                                                                                                                                                                                                            • Instruction ID: 881121bd038a2cad1bcdc3194e3ee0d2caba531465d938b9a8d9829c60a4a501
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 72937794bfe8e6fecba6f40f4378d60c78d302e4ae02fe92b2fd2d00d501c8b1
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6A213574601742DFD710CB68D8A059ABBFAFF46255B008166C119CF651D738EC85CB91
                                                                                                                                                                                                                                                                            Function 073728F8 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 8c517b3aa5c60fc1080edaeb8902a40b8eeb927a28d5645b51ceb9875a7ae992
                                                                                                                                                                                                                                                                            • Instruction ID: ec3c1cbb18e385a2efd1f7f111d2315497f7283c85c3c17566a90b89cf56b0ed
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8c517b3aa5c60fc1080edaeb8902a40b8eeb927a28d5645b51ceb9875a7ae992
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4C214F7194E3E15FD7039B38A9612DA3FB1DF53214B1A01D3D080DF1ABE5188E09C79A
                                                                                                                                                                                                                                                                            Function 033FD6A4 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000002.1360401608.00000000033FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033FD000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_33fd000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 62a603f2c488951355e28a71e528432dc24c9bb3210c554092852b53d30ee43e
                                                                                                                                                                                                                                                                            • Instruction ID: f93a5e7b286e968fbb4258a83283c54a932fb7b5afe68b40a4fcf567f7ac497b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 62a603f2c488951355e28a71e528432dc24c9bb3210c554092852b53d30ee43e
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FD2145B5504240DFCB01DF14D9C8F2ABF69FB88314F64C1A9EA090F61AC336D40ACBA1
                                                                                                                                                                                                                                                                            Function 0737B598 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: a8c22650bde6459c5d768506b07f66dd6a881bb21e822e127ca1d47463899b95
                                                                                                                                                                                                                                                                            • Instruction ID: 86f8bafca9280da68b9238c0f15bec0c1ea97591d345db8fd5d12d6f2ea7e8b0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a8c22650bde6459c5d768506b07f66dd6a881bb21e822e127ca1d47463899b95
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0C21F2B4B00219CFEB28DB74D8446AAB7BAFB84351F10C479DA098B250DB78D902CB90
                                                                                                                                                                                                                                                                            Function 0737B930 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ef1d6b262b10f86437bfdf24b9bc2070deb199e80689ac4723f982576ea2188e
                                                                                                                                                                                                                                                                            • Instruction ID: 4b9617a1289f3e13fdfd2f9844c7395ad3828825e18cc36ce50b66569fa17b0f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ef1d6b262b10f86437bfdf24b9bc2070deb199e80689ac4723f982576ea2188e
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 111160F53142015FAB24CA2DD490A2BF7EAEFC9260714C03AA95DCB744EE75EC01C790
                                                                                                                                                                                                                                                                            Function 07374553 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 2a1c925b6a50d6c527019c86a603735f926dd8ea980c091e4e37d63e8dc5532e
                                                                                                                                                                                                                                                                            • Instruction ID: cfcadb2e7163984354fd44eab482425d9d1bf38414c78d4097ea0316f93be4d8
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2a1c925b6a50d6c527019c86a603735f926dd8ea980c091e4e37d63e8dc5532e
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3211EFB93006439FD721AB7CE95086E7BE6EFC53A0344453AE18ECB625DF28AC05C791
                                                                                                                                                                                                                                                                            Function 073730FC Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6ec8a205002022e6264d2dfd531b5c7896d9e5e8cc16dd544fdc10daceb67206
                                                                                                                                                                                                                                                                            • Instruction ID: 0503a0c1c4a7baef8d12d86e67c131f05a682bdc1a5902b0496b00dd050e7aa7
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6ec8a205002022e6264d2dfd531b5c7896d9e5e8cc16dd544fdc10daceb67206
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B211067075939E5BFB34227854103BD2F9A8B82710F0444B6D889CB286D9ACCC06E392
                                                                                                                                                                                                                                                                            Function 0737A219 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: aa5187b3d3c06218c4d79b361ed214c124db19ba7b8ee4bf21e8541017214e65
                                                                                                                                                                                                                                                                            • Instruction ID: 7a54e0ec8b85628197a12a14dad819f98d7dc1906ba65b52cc1e9720af3d61fd
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aa5187b3d3c06218c4d79b361ed214c124db19ba7b8ee4bf21e8541017214e65
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FB215E74A402099BEB24CF69C480BDEBBF5EF88710F218025E805BB741CB759D45CFA0
                                                                                                                                                                                                                                                                            Function 07373A35 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 179a5088a4f89bb635d9d8232c7848c3ca4679d46d2002a2093d94f91f938ac9
                                                                                                                                                                                                                                                                            • Instruction ID: 76314861be060d4c7638e45ed8bb9ec4d37e4514ed6a13ee4f771ebbf4bb7c9d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 179a5088a4f89bb635d9d8232c7848c3ca4679d46d2002a2093d94f91f938ac9
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D1116075A01109AFEB18DFA4D855A9ABBB7EFCC310F108025D409A7394CF799C45CB91
                                                                                                                                                                                                                                                                            Function 07372258 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 0c1f90a3055748a6f43c66ce310be3b125ed6db9a6afb97c3a4d6ab36ec21673
                                                                                                                                                                                                                                                                            • Instruction ID: 7e957c95415edbd856b3a7b3aa3a18722f9c20d8f3e915080bf7b30bafd0a3fb
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0c1f90a3055748a6f43c66ce310be3b125ed6db9a6afb97c3a4d6ab36ec21673
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DF2108B5E102189FDB54DF69D88099EBBF6FB4C710B10812AE909AB320E7359941CF91
                                                                                                                                                                                                                                                                            Function 07373A38 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: eb448ce70abb3b1cc061a75aa89867545928a80143bc37c9ec8a633e91757fa4
                                                                                                                                                                                                                                                                            • Instruction ID: 0fb02712d331fb5a8516c4c389e9d9c3e5ebfd719a196599bb4a759537c932f6
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: eb448ce70abb3b1cc061a75aa89867545928a80143bc37c9ec8a633e91757fa4
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 24116071A01109AFEB18DFA4D855A9ABBB7EFCC310F108025D409A7394CF799C45CB91
                                                                                                                                                                                                                                                                            Function 033FD69F Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000002.1360401608.00000000033FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033FD000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_33fd000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 739964059d31b747d3d8eb67c032c7abb424f586a59bdf99513cfd92067b6670
                                                                                                                                                                                                                                                                            • Instruction ID: c2429eabb4afdcc432e590f11bcc3b0464f775e0f962498c272e04dc82a22a78
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 739964059d31b747d3d8eb67c032c7abb424f586a59bdf99513cfd92067b6670
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B611D376504284CFCB16CF10D9C4B16BF71FB84314F28C6A9E9494F65AC336D45ACBA2
                                                                                                                                                                                                                                                                            Function 07371378 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 83c939f57968ed8330c6a65db11e24e1c59c83dcf99076ad7c0ee8e7f599ad3f
                                                                                                                                                                                                                                                                            • Instruction ID: 805ef2018e7aeb2d616b14edcf6c937543774cdf6f6a54235567a05343d58462
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 83c939f57968ed8330c6a65db11e24e1c59c83dcf99076ad7c0ee8e7f599ad3f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F92138B5D042099FDB20DFAAC481ADEFBF4FF88324F148429D419A7240C7796946CFA1
                                                                                                                                                                                                                                                                            Function 0737AAE0 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: abdfc837cd231855ec8446a4b61c77223ba86e161fdb54aeff4df3d9da2a4991
                                                                                                                                                                                                                                                                            • Instruction ID: 52d5affcc34bb81a9cc45feef1341255395e3fa17604035787de2462e79cf4eb
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: abdfc837cd231855ec8446a4b61c77223ba86e161fdb54aeff4df3d9da2a4991
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0021BDB8E01209DFDB14EFA8D5909AEBBF2EF49310F504499D549AB354DB34AE40CF91
                                                                                                                                                                                                                                                                            Function 07371380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 2de2af8d52ae9bc499cccf15413d998d99f7d64ce3cad4ad1bf7453fb429f5d8
                                                                                                                                                                                                                                                                            • Instruction ID: 8b1807e82cff0320815a872132b6dcc6c66fe7e7b2a76187d4fd2570eae93911
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2de2af8d52ae9bc499cccf15413d998d99f7d64ce3cad4ad1bf7453fb429f5d8
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7B1117B5D042099FDB20DFAAC481ADEFBF4FF88314F10842AD41967240C7796905CFA1
                                                                                                                                                                                                                                                                            Function 07371968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 16fdd41b2cab884fa834b8e6b3e90a3750075bb9b827a75cb77dad9649de1c3a
                                                                                                                                                                                                                                                                            • Instruction ID: 66ad547cf71e9de5c794a9c48b044455e02b89b2ae33dd0e172d9d9e47a1f243
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 16fdd41b2cab884fa834b8e6b3e90a3750075bb9b827a75cb77dad9649de1c3a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E6118231601119BFC704DFA4E468AAABBB7EFCD311F14501AD409E7340CB799C45CB90
                                                                                                                                                                                                                                                                            Function 0737B070 Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 851c21d5f07aebc2761a49652d3f9c682b5694414e2472a6023aea1f2d5bf0b1
                                                                                                                                                                                                                                                                            • Instruction ID: 361b96b84d0f561a2509e6e9c38696f0458ff5e7c711e76b66c776d32a7d77f7
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 851c21d5f07aebc2761a49652d3f9c682b5694414e2472a6023aea1f2d5bf0b1
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A20121B47002039FDB209A79984099AFBFAEF89251708C17AD51CC7305DB38EC46CBA2
                                                                                                                                                                                                                                                                            Function 0737B920 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 5fdf9803ffc0a2279d224bfc378f8e4ca92a086b86200eef234212155ba78ff9
                                                                                                                                                                                                                                                                            • Instruction ID: 925b5bdc6a3e5e25d8bcc7db5a8c58ee6a8615ab1878adb19f81ca44f9783673
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5fdf9803ffc0a2279d224bfc378f8e4ca92a086b86200eef234212155ba78ff9
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4701A2F53443429FE725CA2CC890A6ABBE9DF89320714807AD84DC7755DB35DC00C750
                                                                                                                                                                                                                                                                            Function 073767E3 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 382731f6c84d93c6a23b2e5b4b055835707d5b8c3300e5ad3238dbb46ad1434b
                                                                                                                                                                                                                                                                            • Instruction ID: f0c6f119f7b2884f0b89c8dc243ceb0aab623114a06516bc10e56da8e7611cf2
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 382731f6c84d93c6a23b2e5b4b055835707d5b8c3300e5ad3238dbb46ad1434b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 940192B8E40309FFDB05EFB4E4516DCBBB5EF85240B0085AAD108EB651DA396E08CB91
                                                                                                                                                                                                                                                                            Function 033FD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000002.1360401608.00000000033FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033FD000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_33fd000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 34ff79cc9163441fee83d86e1b108c31e0f41b4daa60d895162f27bd3fe26dd6
                                                                                                                                                                                                                                                                            • Instruction ID: aea40e0acee5501ce45bd1c13a29a00f8c8a62e0772a7c9f21e81412c741388c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 34ff79cc9163441fee83d86e1b108c31e0f41b4daa60d895162f27bd3fe26dd6
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B601F771004305AFD720CA25CDC8B67FF9CEF41320F08C56AEE084B14AC27C9805C6B1
                                                                                                                                                                                                                                                                            Function 033FD006 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000002.1360401608.00000000033FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 033FD000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_2_33fd000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: e5f429f5ce5b7b9e651e3405236c1eb75638e55bb55d9189d7d21dbf93e03584
                                                                                                                                                                                                                                                                            • Instruction ID: 828a80cf4f26fca797e9f23a1d0bd225279c65e5eab2f8a85f89d20a23c975db
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e5f429f5ce5b7b9e651e3405236c1eb75638e55bb55d9189d7d21dbf93e03584
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0E012D7100D3C09FD7128B258D98B52BFB4EF43224F1D85DBD9888F1A7C2699849C772
                                                                                                                                                                                                                                                                            Function 073756C3 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 8fdb9c9958fe530cb049356c829c67081d8095c3cc74678f03628a30d8177e04
                                                                                                                                                                                                                                                                            • Instruction ID: 890ed4c7650f6de248aaddf7f3d5afef00c5469df569846c267814acff2d57a0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8fdb9c9958fe530cb049356c829c67081d8095c3cc74678f03628a30d8177e04
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E9017BB5304341AFD301A77898845AE7FA6EFC13A0740056EE24ECFA56CF76680D83E1
                                                                                                                                                                                                                                                                            Function 0737CB90 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 41dccb78aa25248a8362b7d410a2a2a40c39328eee5df7b3d17d2cf147325219
                                                                                                                                                                                                                                                                            • Instruction ID: b816ca9b362f7c24cd9a50b6b80a3b00e152fd2f62287b4189f2340faaabb692
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 41dccb78aa25248a8362b7d410a2a2a40c39328eee5df7b3d17d2cf147325219
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AAF062763141154FA7144B5DAC98A2FBBADEBC4561B14013AF509C3250DE65CC02C6A0
                                                                                                                                                                                                                                                                            Function 0737182B Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ebe82f3542538273304fd2520eddc51aeb335a0430d43b891c24b97922d002bf
                                                                                                                                                                                                                                                                            • Instruction ID: 00bbeae08858d29de800495846e4c5cc2586e00fecb89d6d8f7f15ce527ff09d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ebe82f3542538273304fd2520eddc51aeb335a0430d43b891c24b97922d002bf
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AF01D6B2A10209A7FB28A668C4557AF7AF79BC8710F14402DD009F3381CE795C01CBD2
                                                                                                                                                                                                                                                                            Function 0737CB7F Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: d257fd244c56ed4b1bcf0ae62abcc1f55348524397916a669662a95a1f1446d9
                                                                                                                                                                                                                                                                            • Instruction ID: 05a90bee76f7d47181d9b24ad176234d0688c41316536a11b6a01fbbdc1e457c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d257fd244c56ed4b1bcf0ae62abcc1f55348524397916a669662a95a1f1446d9
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2BF0F0763092128FE3148F69A864A6BBBF9EF85561715017AF008C7262DB39CC06C7A0
                                                                                                                                                                                                                                                                            Function 0737AF00 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 9dfed596cbe0414e95c4acd9d85390390413040ab1a794ddfe771c6fec1ef87d
                                                                                                                                                                                                                                                                            • Instruction ID: f46e7e066e54432705a8d0f249da2fd5cedc1f98b92b7d9a6af5c79d6325fd56
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9dfed596cbe0414e95c4acd9d85390390413040ab1a794ddfe771c6fec1ef87d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 27F0B4B53053565F972546AE685149BBFEDDFC9120314C07BE40DC7216EE74DC05C3A1
                                                                                                                                                                                                                                                                            Function 07371440 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: bda591acda459a2f299b57506aba811f2ce5103654b526e06944d0c5bedc45e0
                                                                                                                                                                                                                                                                            • Instruction ID: 687b9c4a3ca2c1bc969348cee2cda045c5d95e07ab1cab8b1530a58ce3a5306d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bda591acda459a2f299b57506aba811f2ce5103654b526e06944d0c5bedc45e0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7301F97160524E1FD70D5F78A5762153FBBEFC62047080CA9C149CF1A1F9189805C391
                                                                                                                                                                                                                                                                            Function 0737AEB8 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6145a5163b178cd699e440a9bffdbece33b8f2df417fcd77ab7c562239a65760
                                                                                                                                                                                                                                                                            • Instruction ID: f4b9d28b18005889ce903707684aca1076b3992b80a65a6a1d2b4ac7e2161bf8
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6145a5163b178cd699e440a9bffdbece33b8f2df417fcd77ab7c562239a65760
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1DF096B121E3D18FEB174B786C6505A7F74DF9221176580EBD045CA0A7EA284816CB33
                                                                                                                                                                                                                                                                            Function 073768D1 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 634d13e21f945ca77d58dc289b800dd0b016ef41b2e1b4c93dbd66c516655a17
                                                                                                                                                                                                                                                                            • Instruction ID: 292a559885b2c2542c4e8e625b6f9a53db8e1888beccba943f60a44718535776
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 634d13e21f945ca77d58dc289b800dd0b016ef41b2e1b4c93dbd66c516655a17
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 95F09076604256EFD716CF69D800D89BFF9EF8A35031980E6E488CB262E734D954CFA0
                                                                                                                                                                                                                                                                            Function 073756D0 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6db5a5e848de82c037cd3d23a669c498160ab128fde8a2ad41536077bdcbedef
                                                                                                                                                                                                                                                                            • Instruction ID: ebe4de9517d6efc1001e18a56659d68424ed90a861998152bab12696bf2c56d9
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6db5a5e848de82c037cd3d23a669c498160ab128fde8a2ad41536077bdcbedef
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 28F0C8B5300306AFD314A769D44596E7B96EBC03A0740452DE24E8B759CF76680947A0
                                                                                                                                                                                                                                                                            Function 0737A369 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 140c2782b50722963f86265f4e5f2d5198581bb1f7b74344b4484a27cd3e27ce
                                                                                                                                                                                                                                                                            • Instruction ID: f01a298115d52e339af72f014e74ed8bd279183cca6ff7613883d616be0a16df
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 140c2782b50722963f86265f4e5f2d5198581bb1f7b74344b4484a27cd3e27ce
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 23F0F6312492929FD7164B34C8544697F66AF41228B3880EED4494B646DF37A943C391
                                                                                                                                                                                                                                                                            Function 07376038 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: daeece10f5e4cb68cae8e2c1ba393eb6d4e17b08b221f45ad3854943b3c570a9
                                                                                                                                                                                                                                                                            • Instruction ID: 1f9a88ad829a8a970771689219906b9ca6e4b0c758eb9be6e51da7d14136c86a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: daeece10f5e4cb68cae8e2c1ba393eb6d4e17b08b221f45ad3854943b3c570a9
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E2014C35108BA2CFC3358B64E4051C6BBF5FF81345B00482ED0CA87A62D7F96488C752
                                                                                                                                                                                                                                                                            Function 073757A8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: d18dae82d0f641674afea67bcfc006bc495e4a6bd891df0393104d4581002d1f
                                                                                                                                                                                                                                                                            • Instruction ID: 289f2e524e0f7c1391638ca7a2fd7c6c92f7968a02c5344e8634e58d02da92ec
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d18dae82d0f641674afea67bcfc006bc495e4a6bd891df0393104d4581002d1f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DBF0BE753043469FDB21DB78D85099A7BE6EFCA22030444BAE089CB626EF65EC15C7A1
                                                                                                                                                                                                                                                                            Function 073767F0 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f996584a26c808cd409212dee88410f06b600115090a2052468254f61653c3e2
                                                                                                                                                                                                                                                                            • Instruction ID: b1d36e6abf864b689c138eda869c67443bb578048a726424aebe1a82be77ff99
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f996584a26c808cd409212dee88410f06b600115090a2052468254f61653c3e2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 000162F8E00209FFDB04EFB8D581A9CBBF5EF84240F4085A9D509EB244DA356E08CB40
                                                                                                                                                                                                                                                                            Function 0737859B Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: e8b2c97727ed57e2b40a8cbe0cd55a8d84527192e9a06b7cd34825cd5b1da995
                                                                                                                                                                                                                                                                            • Instruction ID: 1ec93136892818fc43681b213ac82d5daa606616ddfbe70074191927bf7ea4dd
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e8b2c97727ed57e2b40a8cbe0cd55a8d84527192e9a06b7cd34825cd5b1da995
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 38F0E9F67003028FEB20876CE4889AAB7A1EFD4371750C239E51C8B314DB25DC00CA50
                                                                                                                                                                                                                                                                            Function 0737C4C9 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: c91ead521fd120f79ce5d541b9cc5502ce4cafcb171216a168b8ea2531fe28ab
                                                                                                                                                                                                                                                                            • Instruction ID: 072a50017ccff8194d70ba8017b300489d4d3f73d9f488bcbe4e2d51202c0e77
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c91ead521fd120f79ce5d541b9cc5502ce4cafcb171216a168b8ea2531fe28ab
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 50F0E9B1244353ABD332563698015FA77ED9F82260B854577D048C7459EA7A9844C3B1
                                                                                                                                                                                                                                                                            Function 073746A0 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: b4702d33ffa7ea81abc09925a2b2189383ac80a688766dcafba3e62b3d7d09b7
                                                                                                                                                                                                                                                                            • Instruction ID: c607bf10501d123b404ec300c42a557997a092bf86fa885c4d0102ff70d42b06
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b4702d33ffa7ea81abc09925a2b2189383ac80a688766dcafba3e62b3d7d09b7
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3AF054B0D0538D6FCB21DBA8D4414EDFFB99F06310F0042DAE8489B362DA355A55DBD6
                                                                                                                                                                                                                                                                            Function 073745B8 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 146ea29554d3817af54c62af671fec00acfecfa2ee081ce4fd1871d4dfddb7ee
                                                                                                                                                                                                                                                                            • Instruction ID: 96c3e9c94222a6e392049a884714385b859362ad7c9d96f1bb8270f633b3761e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 146ea29554d3817af54c62af671fec00acfecfa2ee081ce4fd1871d4dfddb7ee
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 84F090743053428FDB219B7CD95095D3BE69FC9350304446AE189CB665DB25EC46CB50
                                                                                                                                                                                                                                                                            Function 0737C688 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 4ccc015bb693938b8a400bdca86119e36fecb2ddb81d2284a5e0ecf8aa17b657
                                                                                                                                                                                                                                                                            • Instruction ID: 2e381be8faf6c68919161a6c3386027009902cb785e2eb6d0e01a4ab41367409
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4ccc015bb693938b8a400bdca86119e36fecb2ddb81d2284a5e0ecf8aa17b657
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E1F0A0757002228BD728DA799940466B3EEAF886A0308E1B5DA09C7728EA75DC02CB90
                                                                                                                                                                                                                                                                            Function 0737AB90 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ef2c2bc47794b1dc641b78aeb6700985cb3ae7ff6371b3ba0515dd77bc73dca1
                                                                                                                                                                                                                                                                            • Instruction ID: 01319d8757226300c5f705b61a868ce3ceebdd8c515197adc6c8daa730400021
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ef2c2bc47794b1dc641b78aeb6700985cb3ae7ff6371b3ba0515dd77bc73dca1
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DAF0A7313083459FE7155B39A884865BFA9EF87361B1541FAE049C72A2DA288C05C751
                                                                                                                                                                                                                                                                            Function 073738B0 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f6d1b1d21e10e76b3f6a6ba284e7e45afd1f564facf18f329de86d0d1c34bf21
                                                                                                                                                                                                                                                                            • Instruction ID: 4875d49e428dbf9a308b8aa73aed297c5b4da1e78e80ca968e3dfbc5e23980fd
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f6d1b1d21e10e76b3f6a6ba284e7e45afd1f564facf18f329de86d0d1c34bf21
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 46F08C7061939F4AFB35227556003EA2FD84B43714F010076C8C9CA282E6DCC885E3E2
                                                                                                                                                                                                                                                                            Function 07371431 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 4be8f1b4aa1bf8419dfd3e4165bd60b81b847793cf3e64241335299228aefbce
                                                                                                                                                                                                                                                                            • Instruction ID: 096328bcf1aa6aaff12829c3c25c3e79384ad43708d7d66ca0f0bea107a6cf70
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4be8f1b4aa1bf8419dfd3e4165bd60b81b847793cf3e64241335299228aefbce
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ECF096B6A4121F6EE70C9FB4A56722A7BFBEFC5214B04182D850DCE150FD289800C7C1
                                                                                                                                                                                                                                                                            Function 073736A9 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f5ddd3d8ea0bd02b49b1ebc8144c68242bdb9af9c8a068e1588d2b83b1319ebd
                                                                                                                                                                                                                                                                            • Instruction ID: feef946ea24d6be0a47e30bc2f4d7d1abc80a62d0ce4e46a9a73d55e312cc2ed
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f5ddd3d8ea0bd02b49b1ebc8144c68242bdb9af9c8a068e1588d2b83b1319ebd
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0EF01CF1E1125AEFCB54DFB999001E9BBF4EB09651B21847AC41EE7600E3318611DFC0
                                                                                                                                                                                                                                                                            Function 07373CFF Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 55fe1d65d956231a19cdd9efb232593812ebaa8340f1bd4c23a32eb0a3ecc664
                                                                                                                                                                                                                                                                            • Instruction ID: 7b3d101d244187ce6ae65fc606babcab4fac971ea1945e6b6d89bcb88892fc67
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 55fe1d65d956231a19cdd9efb232593812ebaa8340f1bd4c23a32eb0a3ecc664
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ADF020F1909289EFDB11CFB4E8520EE7BB9EB02340B1001EBD508C7662DA355E04D792
                                                                                                                                                                                                                                                                            Function 073746C8 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: c62a9b16e4872fb716430a1d0c8671e90ce51bd3ae26dbc0f9110d80d666cd2b
                                                                                                                                                                                                                                                                            • Instruction ID: c7ad9043844541c8137006c73dcad2bdd78ecebc5ae3629bd6a455b68245c982
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c62a9b16e4872fb716430a1d0c8671e90ce51bd3ae26dbc0f9110d80d666cd2b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 45F030B0E4538CAFCB55DBE8E4414EDBFB9AB45310F0081EBE448DB361DA385A44CB95
                                                                                                                                                                                                                                                                            Function 07374560 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: eb656eda2de5b5a93b267f1ce3c3a35e60d2f516d207dcd360b7580638f4b963
                                                                                                                                                                                                                                                                            • Instruction ID: ba19a1bc54df73057bf977a828d0c5d4b54a90310a44821f7e0c09ef7eda09bf
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: eb656eda2de5b5a93b267f1ce3c3a35e60d2f516d207dcd360b7580638f4b963
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A7E09BBA7006066B9225A66DA55081F7696EAC53B0380443EF65DCB704DF25AC058795
                                                                                                                                                                                                                                                                            Function 0737C678 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: e22402b1b4b781a313afa4daade6ea495a8552f551ef938eed19351532c4cb89
                                                                                                                                                                                                                                                                            • Instruction ID: cab9212abea5458c3516a0c93d7371360461714ef7037ba8dbfd1a4084afac2c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e22402b1b4b781a313afa4daade6ea495a8552f551ef938eed19351532c4cb89
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B9E0D8767453539BC726467198400D1FFBA9F461A031CA2F3C9448A216DB79CC83C7E1
                                                                                                                                                                                                                                                                            Function 0737C1D0 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 036e0bdd5408ee2635b67e08b5faa1596807575e780c6aed026884d9321d2b09
                                                                                                                                                                                                                                                                            • Instruction ID: da360ce5a1342eb61b250cbd8d45365cfd3564faaab4c498e719b25e87d5fad8
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 036e0bdd5408ee2635b67e08b5faa1596807575e780c6aed026884d9321d2b09
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C3E02B352043055FC721A764E41549E7FE9EBC2365700003BE485C7741DF782846CBA2
                                                                                                                                                                                                                                                                            Function 07373CC0 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ce7f8e32e46b3dcd2fd61be0c8aeda1702d38b9e469a1db8cd68eab790a2994e
                                                                                                                                                                                                                                                                            • Instruction ID: fff1b4506726837d523d23b5067051c5dc681b789202641de5015590974a1379
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ce7f8e32e46b3dcd2fd61be0c8aeda1702d38b9e469a1db8cd68eab790a2994e
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D7E0D83B3497969BC71212AD74154B97FA9CBC65A131401BBE249C7B42CE59580683E3
                                                                                                                                                                                                                                                                            Function 07376AAF Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 4f27a3d0c3a0a10a08f5bd7ab142d4703b58e2f8b61752492b58469283ea5e8d
                                                                                                                                                                                                                                                                            • Instruction ID: ba764d29c0a494d3e744aa468f5a9d01c5df310b6dbf340276956b1e8ccb39bb
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4f27a3d0c3a0a10a08f5bd7ab142d4703b58e2f8b61752492b58469283ea5e8d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 87F0EDB52042449FD311CFA8D880C81BFF8EF5921030581FAE888CB363D722ED06CBA0
                                                                                                                                                                                                                                                                            Function 07376898 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: d14b4eafdeafb49678a57c15beb66c23dedef0ddbac0a39c5d394d267ab5e4a4
                                                                                                                                                                                                                                                                            • Instruction ID: b373c53ea74005b364858ab7d096a24492534b940d67f91d5c1ab8afafc5f9e8
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d14b4eafdeafb49678a57c15beb66c23dedef0ddbac0a39c5d394d267ab5e4a4
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ECE04F351452529FC7218B38E800892FFF9EF9A36131A86B7E044C7116D7748882C791
                                                                                                                                                                                                                                                                            Function 073736B8 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                                                            • Instruction ID: 858948a3d57fe54d3cb005b58795e83943ccb52ee643df046393b55e5fd0ac32
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2BE012F0E1125ADF9F50EFA999401EEBBF8AF49140F108569C51EE7200E3369A01DBD1
                                                                                                                                                                                                                                                                            Function 07373C89 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: c1b1c794d4eb01968def6029c8f6bb7a57a957828611429e074b97e9ece34120
                                                                                                                                                                                                                                                                            • Instruction ID: 99bf649adec96438a16ba2d2ce4bce61cd327d4e95330a1250f80300e375f0a8
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c1b1c794d4eb01968def6029c8f6bb7a57a957828611429e074b97e9ece34120
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4EE086B138A2D7CFEB15077574241B47F75DA5229631804F7D18EC7912D22A8454CB50
                                                                                                                                                                                                                                                                            Function 0737CAC0 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 0f953c43befa8a43115082b856c60605b6b43e586562eba49accce8e19738e4b
                                                                                                                                                                                                                                                                            • Instruction ID: 0d9bc89a939b719ef2528a0951319111c1eb58daa0dda046981be542f5f42669
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0f953c43befa8a43115082b856c60605b6b43e586562eba49accce8e19738e4b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 32E0EC6508E3E28FDB125B3895B10D57FA59E4331A71C04EBC0C5CE0A7D66C9499C79A
                                                                                                                                                                                                                                                                            Function 0737C1E0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: e15794d860bb9fc27c7cdb81b3e670b0f016d90053ab2f128c1ea2f1d44c5b1b
                                                                                                                                                                                                                                                                            • Instruction ID: aabe97b0d1011ea91ddb8f46ad09ed21da41662cddf792292da398fe1cb819e5
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e15794d860bb9fc27c7cdb81b3e670b0f016d90053ab2f128c1ea2f1d44c5b1b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1CE0C2393003185BC214B758E04995E7BDEFBC57A4B40042DE54A8B744CEB578458B95
                                                                                                                                                                                                                                                                            Function 07373CD0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 24dc36f2751cbee32cfdc23d64b4d9adc5e9fdb23dbebee88a396e9d9229af4f
                                                                                                                                                                                                                                                                            • Instruction ID: 5110ba88c3597d7bfd449b38b2a8b8914025fa1a400c087056c2cd1fe85112d1
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 24dc36f2751cbee32cfdc23d64b4d9adc5e9fdb23dbebee88a396e9d9229af4f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 16D05E7B300269975614219E741592E76AECBC5AA1304012BE70EC3344CE594C015395
                                                                                                                                                                                                                                                                            Function 07376AC0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 0a9b5313338340d75a96ec6cd50f48074bc3aa38a2a1e9d76220984452de3228
                                                                                                                                                                                                                                                                            • Instruction ID: b2172d63d11a64981ac15ca2a981a1a4ff2005a3c3c84d9e7702faf9d97c7ebf
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0a9b5313338340d75a96ec6cd50f48074bc3aa38a2a1e9d76220984452de3228
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 14E0ECB53042049FE314DF5CD880C95BBE9EF992543558199E84CCB712DB22ED12CB90
                                                                                                                                                                                                                                                                            Function 07372998 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: a985f859fffef7352dbaaf0b4e2d71ccd120b31de4da2fb0bea82b76277e73a9
                                                                                                                                                                                                                                                                            • Instruction ID: b8fecb8840612ec28bd1f9af4bc6aa41618a89872bea1deb2636d30c2fac2c31
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a985f859fffef7352dbaaf0b4e2d71ccd120b31de4da2fb0bea82b76277e73a9
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3EE0CD329813119BE304D734FD417D93353EB91710F014636F1015F15CEBA56D0A47C8
                                                                                                                                                                                                                                                                            Function 073717F0 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: a0145e6b372231117542c0917ac863e5f47b11a8df1cc876dbecd687b83cc72b
                                                                                                                                                                                                                                                                            • Instruction ID: c6b989fd60af6e51430f4cd7a96d7deeb1861288c392c3f1bf3a4e0c6f9c8a5b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a0145e6b372231117542c0917ac863e5f47b11a8df1cc876dbecd687b83cc72b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 30D02E32600020CFC30C9B20E8422983BA9E308220F00803BE8988B260CA264C02D7D0
                                                                                                                                                                                                                                                                            Function 073746D8 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6316c47527afce445a0413fe30b60d75515b57cb8a332868e374ebe1f8ad19a2
                                                                                                                                                                                                                                                                            • Instruction ID: 011eefea404d1c415d80e270042dd6cf4f279c2f1f0581f97bb76fbb448ebd7d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6316c47527afce445a0413fe30b60d75515b57cb8a332868e374ebe1f8ad19a2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 84E09274E0420CAFCB54EFE8D44559DBBF9AB48300F0081AAE809A7354EA345A088F81
                                                                                                                                                                                                                                                                            Function 07373938 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6ddb18660a58fab55927e95f617b6b8f28aff2a71eccf3d866885d8a2b1ca069
                                                                                                                                                                                                                                                                            • Instruction ID: e9085f9fc8b762548099bdf755680217cde5e75315d98822a344fbdbfba70766
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6ddb18660a58fab55927e95f617b6b8f28aff2a71eccf3d866885d8a2b1ca069
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D5D09732F5F395EBDB2522B43004288BB68CB02620F0244F3EA0CCB282D57C8C02C381
                                                                                                                                                                                                                                                                            Function 07370C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6f2b07051e0d39525bb13b5895393a2a94d034c7f453bed870dd9ecdbed36945
                                                                                                                                                                                                                                                                            • Instruction ID: 54d81e3c1ee76f622454fc66f710aab58828f3836a9af31e92e0fb36e36d8ed0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6f2b07051e0d39525bb13b5895393a2a94d034c7f453bed870dd9ecdbed36945
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 52D0A77225011CABA2186758D84596A775EE7953A17104433FA0587228CD756C05D396
                                                                                                                                                                                                                                                                            Function 07373D10 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f44ab1efbc30eb946524ce3ac16550cf33db1ee7be5eef26291af9f6bb317d5b
                                                                                                                                                                                                                                                                            • Instruction ID: 6f5a193bb6a7966927c7742f41e8f59bf65024e8aa90170dfbcb6b30b17619b4
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f44ab1efbc30eb946524ce3ac16550cf33db1ee7be5eef26291af9f6bb317d5b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3AD05EB4A4020DEFCB04DFB8EA4195EB7FDFB44344B1045A9D509D7241EE312F049B90
                                                                                                                                                                                                                                                                            Function 0737E32A Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: bdddc8816b402a427a30869d866c82934bd2c52ac5ff968e66a5bd1afd42e9ac
                                                                                                                                                                                                                                                                            • Instruction ID: 88d92c6d9350d7cd78bd194332b26c574c3dbd2364c41e663c026fe2148e3edf
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bdddc8816b402a427a30869d866c82934bd2c52ac5ff968e66a5bd1afd42e9ac
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A8E012B0A4460FDBFB649FE0C5557AE7776BB04709F204458D405AA244DB794506DF41
                                                                                                                                                                                                                                                                            Function 07372968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: c17ed66c8747c2f345835f71049de46ba84906c53fcdfd958dd2e0bb003d9044
                                                                                                                                                                                                                                                                            • Instruction ID: a2deed4898485ca34eed4247fae012bb6106d191e9f36d5acdacca36746d0c38
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c17ed66c8747c2f345835f71049de46ba84906c53fcdfd958dd2e0bb003d9044
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 45D05EB0941219DFCB04DFB4E941A5DBBFEEB44201B2086E5D408E7214EA345E05CB80
                                                                                                                                                                                                                                                                            Function 07373C98 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 0b4f045fef8f55e06193a3c4e8fc959602a1a17e2cb68449d7fe58aee376726f
                                                                                                                                                                                                                                                                            • Instruction ID: 72e01935fe0c9ef617f431f620fda820cc02fcbbf527e2cfe3ed458f9f4d09a8
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0b4f045fef8f55e06193a3c4e8fc959602a1a17e2cb68449d7fe58aee376726f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B1D0127035420ACBDB5CDB64E95553573AE9B8864570088ADA90FC7341DB3AE802DA44
                                                                                                                                                                                                                                                                            Function 073746B0 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: aacd832194aea65482e6b4b8297f0f87bd7bf3e67da9555af2e71d4c5d160393
                                                                                                                                                                                                                                                                            • Instruction ID: 45f3ca450846b886ded9e3c152dc51f801595628fc43192c8dcac7e0f0a719b4
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aacd832194aea65482e6b4b8297f0f87bd7bf3e67da9555af2e71d4c5d160393
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BCB092B090530CAF8620DA99980186ABBACDB0A210F0001D9E90887320D972AD1066D1
                                                                                                                                                                                                                                                                            Function 07370440 Relevance: .0, Instructions: 8COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ff721857e307389ebda0b9b033ebfec5ee57b5fa393dafc51a7b750472b71b41
                                                                                                                                                                                                                                                                            • Instruction ID: c358299d21d05235a25962c13f660c117bae0502f2b30177e02e512fec24f301
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ff721857e307389ebda0b9b033ebfec5ee57b5fa393dafc51a7b750472b71b41
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1FC09B73455204BFDB019FB0E50575577B2F770317F905679D000C0110E37E4D56DA10

                                                                                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                                                                                            Function 0737F7E8 Relevance: 7.7, Strings: 6, Instructions: 151COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000B.00000003.1359372804.0000000007370000.00000040.00000800.00020000.00000000.sdmp, Offset: 07370000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_11_3_7370000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq$,cq$,cq$Hcq$`]dq$`]dq
                                                                                                                                                                                                                                                                            • API String ID: 0-1825324008
                                                                                                                                                                                                                                                                            • Opcode ID: 2d3ca4dbdc4c24d083a4e5f214394bb72de106a4060ed72a1257c185d4f5014a
                                                                                                                                                                                                                                                                            • Instruction ID: 5c5bf8378d4971c51a1b5ba820ec107397f6f02450416161caeefd2ed7acc83f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2d3ca4dbdc4c24d083a4e5f214394bb72de106a4060ed72a1257c185d4f5014a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 64412975B0412A9FE7249B2CD45446D37DAFFCA621324449FD14AEB3A1CD29DC02C795

                                                                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                                                                            Function 04AF50B8 Relevance: 1.5, Strings: 1, Instructions: 283COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: \Vjm
                                                                                                                                                                                                                                                                            • API String ID: 0-1690280908
                                                                                                                                                                                                                                                                            • Opcode ID: 91b76d128dd5ff53594d1f8c6b65544d83d636669b53df0c2658a3c0d9915ceb
                                                                                                                                                                                                                                                                            • Instruction ID: 44d743c7ba1be4f050e4de02b36cfc409f37620bcab1d21c70c6e0a0a4200d38
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 91b76d128dd5ff53594d1f8c6b65544d83d636669b53df0c2658a3c0d9915ceb
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 64B13C70E00219EFDB14CFE9DC857DDBBF2AF48308F148529E915AB295EB74A846CB41
                                                                                                                                                                                                                                                                            Function 04AF59A8 Relevance: .3, Instructions: 268COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 84646a7fb21996d562c89fce9961a496f69d01de280ea1d16665b86e7787eda9
                                                                                                                                                                                                                                                                            • Instruction ID: 85910bba697502c6c9af0e5d840aa2a443f7514d4d30f5819fea270adde7810f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 84646a7fb21996d562c89fce9961a496f69d01de280ea1d16665b86e7787eda9
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 77B16E70E00209EFDB10DFE9CC857DDBBF2AF88314F148529E915A7255EB74A856CB81
                                                                                                                                                                                                                                                                            Function 04AF5705 Relevance: 2.7, Strings: 2, Instructions: 183COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: \Vjm$\Vjm
                                                                                                                                                                                                                                                                            • API String ID: 0-187737782
                                                                                                                                                                                                                                                                            • Opcode ID: c5732adf6f78010eaeb37491894209d65d2d7cd5dd672fd01745e31d352897c6
                                                                                                                                                                                                                                                                            • Instruction ID: 7edd8dbd62d8aa6fcc115d575a741fadd120b43bb8db040c74a1668aa53aef16
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c5732adf6f78010eaeb37491894209d65d2d7cd5dd672fd01745e31d352897c6
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5A718AB0E00209EFDB14CFE9C9847DEBBF1EF48314F148429E915AB255EB74A846CB91
                                                                                                                                                                                                                                                                            Function 04AF5710 Relevance: 2.7, Strings: 2, Instructions: 182COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: \Vjm$\Vjm
                                                                                                                                                                                                                                                                            • API String ID: 0-187737782
                                                                                                                                                                                                                                                                            • Opcode ID: f44fd82b2f1149e54f130cfc41444f3e6b94d1f635bdcda314d3e8006c1e50f4
                                                                                                                                                                                                                                                                            • Instruction ID: a205b3f192d6eff9417679fdbf0f602560f5d7786e85071c8ebbb910662a8306
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f44fd82b2f1149e54f130cfc41444f3e6b94d1f635bdcda314d3e8006c1e50f4
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D6715DB0E00209EFDF14CFA9D8847DEBBF2AF48314F148529E515AB255EB74A846CF91
                                                                                                                                                                                                                                                                            Function 04AF1630 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: $_q$$_q
                                                                                                                                                                                                                                                                            • API String ID: 0-458585787
                                                                                                                                                                                                                                                                            • Opcode ID: dd1f49e9cae53eef8670baf9546cd6d142586ce944cb221e0d4f76432d925ec2
                                                                                                                                                                                                                                                                            • Instruction ID: 05e8d50f76706d9386e987c52a9ddb6f94f4ee5b4ac1d972323f924671b880df
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dd1f49e9cae53eef8670baf9546cd6d142586ce944cb221e0d4f76432d925ec2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2851C171B012099FDB14DFB8D850AAEBBF6ABC9350B14802AE519D7364DA30AD02CB91
                                                                                                                                                                                                                                                                            Function 04AF50B7 Relevance: 1.5, Strings: 1, Instructions: 275COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: \Vjm
                                                                                                                                                                                                                                                                            • API String ID: 0-1690280908
                                                                                                                                                                                                                                                                            • Opcode ID: c9e0ec4404f82079fbbc78f9f416cbeecf0aad4e5a874f309514bee33d357420
                                                                                                                                                                                                                                                                            • Instruction ID: bd7eefdd1c8a2dbe474c1da86f3bf4fc151cfa8edf966ff146651dd9714787ea
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c9e0ec4404f82079fbbc78f9f416cbeecf0aad4e5a874f309514bee33d357420
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7DB13B70E00219EFDB10CFE9D8857DDBBF1AF48308F148629E915AB255EB74A846CF91
                                                                                                                                                                                                                                                                            Function 04AF1080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq
                                                                                                                                                                                                                                                                            • API String ID: 0-301743287
                                                                                                                                                                                                                                                                            • Opcode ID: ca180667106d91097e57a0609b74777674540b0a765eb939af4345ae473450f0
                                                                                                                                                                                                                                                                            • Instruction ID: 7e2d5f4cd95b0074e551cccb74f0c5073127273d09e902ef39e781b1368b81b7
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ca180667106d91097e57a0609b74777674540b0a765eb939af4345ae473450f0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 20719735B00214DFDB049BF5CD54AAE77A7AFC8314F148429F606EB3A5EE35AC028791
                                                                                                                                                                                                                                                                            Function 04AF0C1C Relevance: 1.4, Strings: 1, Instructions: 153COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq
                                                                                                                                                                                                                                                                            • API String ID: 0-301743287
                                                                                                                                                                                                                                                                            • Opcode ID: 3d8a85dd9128416eea0860a10614d3a600412327af681e1f2b79605590999a69
                                                                                                                                                                                                                                                                            • Instruction ID: ee13e69367cc7f3017596fafa7de7d9ac3e9156f768224ce4c582b75b887f6db
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3d8a85dd9128416eea0860a10614d3a600412327af681e1f2b79605590999a69
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BA510930B04244AFE7149BA8C8647AE7FB6EFC8318F10842AE506E7396CE356C0687D1
                                                                                                                                                                                                                                                                            Function 04AF599C Relevance: .3, Instructions: 266COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: c66ec32076af884da56b0883c7844fb564c83e8ec94e4c3e7e140c3c666ab88c
                                                                                                                                                                                                                                                                            • Instruction ID: 3c8010af1ad832b053712c93460850a497e01c337d4e250cf567e329d712a341
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c66ec32076af884da56b0883c7844fb564c83e8ec94e4c3e7e140c3c666ab88c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 74B17C70E00209EFDB10DFE9CD857DDBBF1AF48314F248129E919AB255EB74A846CB91
                                                                                                                                                                                                                                                                            Function 04AF2268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 8fd33876d06f28ff11fb44aae1c3ca65c1b5c1f496878ec1e53f9f3070e47230
                                                                                                                                                                                                                                                                            • Instruction ID: 79222f442ee5fcdc1126e0bbe3569e650fdc373e0b72a35efc90b90960591103
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8fd33876d06f28ff11fb44aae1c3ca65c1b5c1f496878ec1e53f9f3070e47230
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C4411E76B101189FCB54DFA8D88099EBBB6FF8C714B108169E905EB360DB31EC42CB90
                                                                                                                                                                                                                                                                            Function 04AF1072 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 229a498bd3ddf633cd19dbd9ef2b8d6291767f4124c216bc53be3dd27dd5d375
                                                                                                                                                                                                                                                                            • Instruction ID: 313db3d07d6cfc6ff7b391837179defffd1f6ba4c2d90deb0a70302d4c9aa7fc
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 229a498bd3ddf633cd19dbd9ef2b8d6291767f4124c216bc53be3dd27dd5d375
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2C11E132F01214D7EB108AB58D546EEBBEADB88244F04803AEA06D7346EE34ED0287D1
                                                                                                                                                                                                                                                                            Function 04AF0D4C Relevance: .1, Instructions: 66COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: cb861a59fef5a02de9aac6ff9ee49ff091509fbc4e28b0439c90db780f57d7bc
                                                                                                                                                                                                                                                                            • Instruction ID: 4586488075b097247b45188f7e411e6d87bf405fe18791cbafd323e20cef1363
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cb861a59fef5a02de9aac6ff9ee49ff091509fbc4e28b0439c90db780f57d7bc
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 131159327442405FE30567BC8C547AE3F9ACB86224F0488AEE649DB296DE25EC0683E1
                                                                                                                                                                                                                                                                            Function 04AF2B18 Relevance: .1, Instructions: 64COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 37e379aa725865926b85f9ac9477c07d0ff6ea8ce2f65eff859eb4ebc0774980
                                                                                                                                                                                                                                                                            • Instruction ID: 0a49d504d896da4f0477ce8d05b206a4f915ac4429cb76b153120f52d4828b0c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 37e379aa725865926b85f9ac9477c07d0ff6ea8ce2f65eff859eb4ebc0774980
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DC11C676B001184F9B95BBBC54202AF7AE79FD8355B100479D90AD7344EF35AD028BD3
                                                                                                                                                                                                                                                                            Function 04AF2258 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 31406ec299961f4b8feb6eb0ad32b0691956e9b2df1b64d5cb62071789dfe081
                                                                                                                                                                                                                                                                            • Instruction ID: aeccfca35d55051154d211b844b13200967d7029618a94769cef13fc960d03e5
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 31406ec299961f4b8feb6eb0ad32b0691956e9b2df1b64d5cb62071789dfe081
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 98212E75E102089FCB54DFB9D8849DEBBB1FF8C710B108169E915AB360D7319942CF91
                                                                                                                                                                                                                                                                            Function 04AF1958 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 07a8f38b785d5e483280cd1b6a08d0044c68af5df62cb8071445aa8e74f7de70
                                                                                                                                                                                                                                                                            • Instruction ID: 93a372f03093e38a71e9042b2d3e1c63e339fef67a327cbdf391d188ab4ccaef
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 07a8f38b785d5e483280cd1b6a08d0044c68af5df62cb8071445aa8e74f7de70
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 57118134A04255EFD744DFA4D454AA9BBB2EF8C318F104419E50AA73A1CF399C86CFD0
                                                                                                                                                                                                                                                                            Function 04AF2B08 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 955f97da9936a54297505294afebccc5dbd2708102e07136ad5af7e14a405914
                                                                                                                                                                                                                                                                            • Instruction ID: cda4c31b233fa750ee75352fbde54bf53ad113b5278463ff167149a7a343af94
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 955f97da9936a54297505294afebccc5dbd2708102e07136ad5af7e14a405914
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FE012276B001104F9B40ABB858502AE7BE2DBC82457100069D90AC7340EF35E9038BD2
                                                                                                                                                                                                                                                                            Function 04AF1378 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f11335a9dd8ce74b22f383d35b06cb82dcbb28cfeebdb558262990b9c9477143
                                                                                                                                                                                                                                                                            • Instruction ID: 75ce5f448c7a55f57ea6472a9df094ee407af4b95e1039fc3beb50fff250755f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f11335a9dd8ce74b22f383d35b06cb82dcbb28cfeebdb558262990b9c9477143
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DA2115B0D042099FDB20DFAAC8846DEFBF0FF48314F10842AD51967240C7756946CFA1
                                                                                                                                                                                                                                                                            Function 04AF1380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 66c3c9b835b7032fb8b7b31be0c019a25f120fa9e97063485a74336d542af8bc
                                                                                                                                                                                                                                                                            • Instruction ID: 9abaf303279151adcd048c3319df0e712f0bc51395e16f875ad8d9a229e07d48
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 66c3c9b835b7032fb8b7b31be0c019a25f120fa9e97063485a74336d542af8bc
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F01106B0D042499FDB24DFAAC881ADEFBF4FF48314F10842AD51967240C7756905CFA1
                                                                                                                                                                                                                                                                            Function 04AF1968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 3824e0d3f85c6f32e8e4f058dc46164f19f66e218567bf52b492d527eeb1ceeb
                                                                                                                                                                                                                                                                            • Instruction ID: f99d235476c96093f0cbcb8187ee5c9cd9ac62c7ff65b0c75a0f3d0e02d4cf37
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3824e0d3f85c6f32e8e4f058dc46164f19f66e218567bf52b492d527eeb1ceeb
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EB116031A04154BFD744DF94D854AA97BB6EF8C314F104019E409A73A1CF799C86CBD0
                                                                                                                                                                                                                                                                            Function 04AF2A68 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6eda2c9a2182912d14c6837f5c38e18ec359de0865a93bf1feb1e70e43448f7c
                                                                                                                                                                                                                                                                            • Instruction ID: 99babe822bf50e7f7e37b3fa31e49682f5a7c698386b54f21e8458219d1e3a63
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6eda2c9a2182912d14c6837f5c38e18ec359de0865a93bf1feb1e70e43448f7c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F4017139B002158FCB44EB74A8457AE3BF6EB88615B204069E909DB360EF35E947DBC0
                                                                                                                                                                                                                                                                            Function 04AF1440 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 3b7125724680f639fd8870f7d3af73d21924ce107cc69922cafacf327df6f7f7
                                                                                                                                                                                                                                                                            • Instruction ID: de71a6addd5efe9cb87128af3b65855b8ca8f4b83f5cf46800a98e97facb6da1
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3b7125724680f639fd8870f7d3af73d21924ce107cc69922cafacf327df6f7f7
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A301F770A0934A5FD7096FB858352267FE9EFC12087050CAEE649CB162FD24DC0687D1
                                                                                                                                                                                                                                                                            Function 04AF182A Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: d6a8561756cac471202b25e902b582b37b908c6ff90b7d161aa453e53d733ff1
                                                                                                                                                                                                                                                                            • Instruction ID: d14f40d1424eed0b586c6e97085db95f27ce5586a839172f733108a6d7baa579
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d6a8561756cac471202b25e902b582b37b908c6ff90b7d161aa453e53d733ff1
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2D01D131A0410597FB18AAA8CAA53EF7BF6DBC8704F60402DE602B7381CE716D069BD1
                                                                                                                                                                                                                                                                            Function 04AF2997 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 3b6e1f319d8777c4a7ae64eb4930f954bd9352c08887c2cd1fa03ed06e4ad117
                                                                                                                                                                                                                                                                            • Instruction ID: df951845ea71bf942e06f334709d269e0a8b27c52e83cb1d1f42aa7e9c61d9c0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3b6e1f319d8777c4a7ae64eb4930f954bd9352c08887c2cd1fa03ed06e4ad117
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E4F0C8353402015FEB196BB4E94979D3F26EB41308700847DF9468B6A6DE71E84F97E1
                                                                                                                                                                                                                                                                            Function 0476D01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000002.1370470937.000000000476D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0476D000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_2_476d000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 8e313d905154b225331d41656e2ebc0ab9ad765d2e6a189a68828b1eacceb488
                                                                                                                                                                                                                                                                            • Instruction ID: 7d346becc61782dbe778ddc2010cf812f5b998735c6ab3ffbe38cc5c2e11163e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8e313d905154b225331d41656e2ebc0ab9ad765d2e6a189a68828b1eacceb488
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 55012B71704340EAD7308F2AED84B67BF99DF41320F18C82AEC0A1B386D278A805C6B1
                                                                                                                                                                                                                                                                            Function 0476D007 Relevance: .0, Instructions: 44COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000002.1370470937.000000000476D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0476D000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_2_476d000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: a4b0ffd0236b69c66ed0805d6f410f33fe64e77f4a1427e639db1ae17235988b
                                                                                                                                                                                                                                                                            • Instruction ID: 570980f6841a03a0b5e288b45094437adc2f7d268c8dd936f10c9cb4febae5e8
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a4b0ffd0236b69c66ed0805d6f410f33fe64e77f4a1427e639db1ae17235988b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4501526150D3C09ED7224B259894B62BFB4DF53224F1DC5DBDC888F297C2695849C772
                                                                                                                                                                                                                                                                            Function 04AF2A78 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: d1d5368040a33ddcb993e30992b6959b047aac4bed84e19f22ecd7bc90e3ab5d
                                                                                                                                                                                                                                                                            • Instruction ID: 08977a629d2227e64e42ae39b1242490d0787b2c8daee45bca52eb77654f688a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d1d5368040a33ddcb993e30992b6959b047aac4bed84e19f22ecd7bc90e3ab5d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 59016D39B002159FCB44EFB8D8457AE3BF5EB88614B100069E509DB350EB35AD02CBC1
                                                                                                                                                                                                                                                                            Function 04AF29A8 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ccf813213ce1126f6868fd6f27e76d18d2dd1fb163567710933c948cb67c01e2
                                                                                                                                                                                                                                                                            • Instruction ID: 11081e06d245964c19bc2d99a9a88026473bcb671bcdb6b6b10fe85391db0410
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ccf813213ce1126f6868fd6f27e76d18d2dd1fb163567710933c948cb67c01e2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 77F0B4313003059BEB18ABB4DE0875E3B5AEB81304B40843DF6469B265DF72EC499BE0
                                                                                                                                                                                                                                                                            Function 04AF1431 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 141ca42d52a82b4f8e9cea689859c004f980fd35670d8ed3e141059c35debf75
                                                                                                                                                                                                                                                                            • Instruction ID: 61e00f991bfe1b0a9e93363343bfecf92eed3fb33b2bf53a4eb99e43b4f35aea
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 141ca42d52a82b4f8e9cea689859c004f980fd35670d8ed3e141059c35debf75
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2AF09074A441465EE70CAFB8952521A7FAAEFD520C7450C2DD64A8B2A6EE34DC4287C2
                                                                                                                                                                                                                                                                            Function 04AF2A20 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 86ce7d8093fdaababa5d1e2258b2a201dac931a774153c48516714f37db21c9f
                                                                                                                                                                                                                                                                            • Instruction ID: 12f436477ef915492bd9568d2a88260ee5a0398b5b6425240ee3fe0f4679857d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 86ce7d8093fdaababa5d1e2258b2a201dac931a774153c48516714f37db21c9f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8BE0D87234A2608FE71516F138062FD2BA59941651B5640D6E805C21A2DA0DDD4753C5
                                                                                                                                                                                                                                                                            Function 04AF2959 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 4d09638488c0f59c8ea37639b3e28c7e096af1c156c38e86ab68a35a63f8e856
                                                                                                                                                                                                                                                                            • Instruction ID: ccedf2084f17feca7128cae8152ecd01251f0ddcc2cb3182a898ef71630d4cad
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4d09638488c0f59c8ea37639b3e28c7e096af1c156c38e86ab68a35a63f8e856
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 72E04FB5C5A2099FDB04CFB0E99268C7FB4EA0524872185E6D848D7266EA309A0BD7C1
                                                                                                                                                                                                                                                                            Function 04AF2A30 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: fd180fdc8316532016c8192e083c67255a6fe11f3f7b564c1a275a154847006f
                                                                                                                                                                                                                                                                            • Instruction ID: 6d3aa157c321005815b43e69bc25973ae2716b2b9658100590bc1d255f315e03
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fd180fdc8316532016c8192e083c67255a6fe11f3f7b564c1a275a154847006f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 24D02B3230112487DB242AF66C053BE359CDB41651F8100A5F52AC3281DF0EDD4353C4
                                                                                                                                                                                                                                                                            Function 04AF15C0 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: b99ce8ee5c34c596fcbe111272d210ff84c1fff9f4774dad4feb2ec6584a1384
                                                                                                                                                                                                                                                                            • Instruction ID: 53a4f22b2430a3c6a2366c97a307869ede810467d46c98a15b978b1cf9cdb204
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b99ce8ee5c34c596fcbe111272d210ff84c1fff9f4774dad4feb2ec6584a1384
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4CD0C2327003145F9704AEF994005DA7BDDCE40160700847E944DC7245EE34E84043D1
                                                                                                                                                                                                                                                                            Function 04AF17F0 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 44a788cdcce52f8e2094cc853b78df4227242c095268896b4a7771f98c0948c6
                                                                                                                                                                                                                                                                            • Instruction ID: 1d8846b90bc26d2948f1b90e0e6deecf51f3abaa9572a8b639d889094b9239ad
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 44a788cdcce52f8e2094cc853b78df4227242c095268896b4a7771f98c0948c6
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2DD02B3264E1445FD30997A0F4470547F74E7551203144057ED048B2A7DC215C47D3C1
                                                                                                                                                                                                                                                                            Function 04AF5EB0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 343493a93372268da871a6904c000ed335a6472ffa105ac8e3b7ca5812c46fd2
                                                                                                                                                                                                                                                                            • Instruction ID: 5acfcde9f5051728fa27915f1be6e859ee3c707f416071e990b92dae0ea2d7a2
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 343493a93372268da871a6904c000ed335a6472ffa105ac8e3b7ca5812c46fd2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 15E02B712042200FD3025728E4514947B74DF0A718F1100DBD54ACB363C765DC038785
                                                                                                                                                                                                                                                                            Function 04AF21E8 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 5d08e658ccde2f530c9cf3c81fbb2f001b2ed48a0ec095bf0a8d73111e81d342
                                                                                                                                                                                                                                                                            • Instruction ID: 5ee7e36fb170cb0afe16fe478dd4823d28376bf536e85e3d162df80aa0d8a592
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5d08e658ccde2f530c9cf3c81fbb2f001b2ed48a0ec095bf0a8d73111e81d342
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8DE0463600F3C09ED70287B48865B51BF709F07204B1A44DECA9A8F0A3C15A504AC752
                                                                                                                                                                                                                                                                            Function 04AF0C48 Relevance: .0, Instructions: 18COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 984c6ca89446be0f8445c09357193ab3cdd615a6bb16936fbeb9b1a70bf671a4
                                                                                                                                                                                                                                                                            • Instruction ID: 58b15107b58ac0113a533f85cfc47ec5bb39941030c292c6497e3875513605a4
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 984c6ca89446be0f8445c09357193ab3cdd615a6bb16936fbeb9b1a70bf671a4
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EBD0A7313511205BD204569CE45497D379DDB4A718B00046AF209C7325CA52FC0042C9
                                                                                                                                                                                                                                                                            Function 04AF0C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 965642193c8f19e6dbc5e4abcfc103b84375e338fad4ecd601bf50a7913276d3
                                                                                                                                                                                                                                                                            • Instruction ID: 422a8aa4e82d8896cfeab9a760c0823878c55375b48cc0b531d42356dca932b8
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 965642193c8f19e6dbc5e4abcfc103b84375e338fad4ecd601bf50a7913276d3
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 71D0233271501CAB93046798DD4597E7BADE7943603504433FB01C3328DD71BC0593D5
                                                                                                                                                                                                                                                                            Function 04AF2220 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6399a00de979cfe6c969129bd791caa254eab2a2ebea6130ce1eef66ee97ba01
                                                                                                                                                                                                                                                                            • Instruction ID: 3cce4fc7b541abdb5323da815bbafd3858d32fd551880ed648c19c93e9f60a6d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6399a00de979cfe6c969129bd791caa254eab2a2ebea6130ce1eef66ee97ba01
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 36D0C93128530C5AF72436E26E1577A32885B4061CF900499FB4C5D5D199A67CD08291
                                                                                                                                                                                                                                                                            Function 04AF2968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 7ea88a047387b6e88fcc5da64796389564f28b3361e57de83809e696bb939f1e
                                                                                                                                                                                                                                                                            • Instruction ID: 65d041b596641678e1f425a2cbf60cb7209574c36e867c9ec3032b89c7114d04
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7ea88a047387b6e88fcc5da64796389564f28b3361e57de83809e696bb939f1e
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B5D05E7091520DDFCF00DFB4E942A5DBBFDEB44204B2086E5E408E7214EA305E05CBC0
                                                                                                                                                                                                                                                                            Function 04AF0440 Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000000C.00000003.1369205184.0000000004AF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04AF0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_12_3_4af0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 1e503333a62e5eeca4c8d63063bf7a7ff3a63355b388226af32a49d13df3b2cd
                                                                                                                                                                                                                                                                            • Instruction ID: bd31f2d24d97624d187126483c022d313335b1b89072a177b4568c29b809025f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1e503333a62e5eeca4c8d63063bf7a7ff3a63355b388226af32a49d13df3b2cd
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0DC08CB2E20A148BD1694A4448082F6B3A0FB3130AB80801ECA850400A9331211BA92C

                                                                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                                                                            Function 00007FFE7D10172D Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6128ac7f7459a8ac4bf3a8fd309f82a3eb4079725c89b74831e1a56823610e4d
                                                                                                                                                                                                                                                                            • Instruction ID: 86f95ec88955160be038d70ec15b0a9bfe60a299de643478de624aaf6db01f69
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6128ac7f7459a8ac4bf3a8fd309f82a3eb4079725c89b74831e1a56823610e4d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 92315A31D2452E8EDB69EF04C4907F8B3B1FF59300F5446AAD01A93291EA78AAC5CF50
                                                                                                                                                                                                                                                                            Function 00007FFE7D101A34 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 1615a969e9e10024b919191987927d9a39b82c322abb0a109c9ecc62bcc590f9
                                                                                                                                                                                                                                                                            • Instruction ID: af7afe1aeaf4b9ee2fe040d740f9ac3fc4a4cbfbcc069fe41333484cbe884723
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1615a969e9e10024b919191987927d9a39b82c322abb0a109c9ecc62bcc590f9
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EE017131C5D29F8BE325AE2090403F9F3B4AF07300F4025BAD02AB71A2EE7C9580CB08
                                                                                                                                                                                                                                                                            Function 00007FFE7D101FCD Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 596b628472f814c4939e80e5b149572a75df68aee76b62a0d4be31ceb9adc783
                                                                                                                                                                                                                                                                            • Instruction ID: 50cd7bd833f98ebbbc41f9fdbc1820f24e59ad383d9971428e2083e14b01f0a3
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 596b628472f814c4939e80e5b149572a75df68aee76b62a0d4be31ceb9adc783
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FEF0FF31D1452E8BD7B5DA14D8857F9B3B5BB45601F4051FAD02DA22A2EE345EC5DF00
                                                                                                                                                                                                                                                                            Function 00007FFE7D104A4B Relevance: 1.3, Strings: 1, Instructions: 22COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: r3D
                                                                                                                                                                                                                                                                            • API String ID: 0-1911351950
                                                                                                                                                                                                                                                                            • Opcode ID: 83239ea2067821a5ceba018bd05c4745222533a51f4727aeacc235179b9c4100
                                                                                                                                                                                                                                                                            • Instruction ID: 73f96d2c79ee3f4289ae6447573445552e11658f781e2a5cfcd7a2fa57b6ee00
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 83239ea2067821a5ceba018bd05c4745222533a51f4727aeacc235179b9c4100
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E3E04F3061964E8FD794FF24D4957A477A2FF8A300F5140B9D01DCB2A2DE7AA841C701
                                                                                                                                                                                                                                                                            Function 00007FFE7D101AC8 Relevance: .2, Instructions: 235COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 84f293e7f425ba48364a003e34918ca13f5502e638913ec407133795a3c7690c
                                                                                                                                                                                                                                                                            • Instruction ID: 22fcb40aadde3f4b7d1b9e056ce1d926c08647f4c6a49e23467efa159b34d08a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 84f293e7f425ba48364a003e34918ca13f5502e638913ec407133795a3c7690c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6691AD71C0926D8FDB66DB28D8997EDBBF1AF05300F0441EAD059A72A2DA7C5AC5CB40
                                                                                                                                                                                                                                                                            Function 00007FFE7D1F0663 Relevance: .2, Instructions: 219COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1444651503.00007FFE7D1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D1F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d1f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 07f05346f542786cc7faede4cc249335bf5c88e6d479dfc16e67e7da1454912d
                                                                                                                                                                                                                                                                            • Instruction ID: 9e17f4649eba7216b258dd27e5cdd5aff66f94d5c454bd09a853496f0630733a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 07f05346f542786cc7faede4cc249335bf5c88e6d479dfc16e67e7da1454912d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 49511861B0EA890FE759932C58296747BE1EF5722070802FFD09ED71B3E915AC03C781
                                                                                                                                                                                                                                                                            Function 00007FFE7D10946C Relevance: .2, Instructions: 195COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: caf2f5c6214990424149041e67b58f1e523d0f84adecdd57e2c67108e5bc91ab
                                                                                                                                                                                                                                                                            • Instruction ID: 7a9b58eba76f73c6ce806510a283b7274f136f039995b798f3c1f05701e83b69
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: caf2f5c6214990424149041e67b58f1e523d0f84adecdd57e2c67108e5bc91ab
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E7517131918A1C8FDB68EB58D855BEDBBF1FB59310F0482ABD04DD3252DE34A9858F81
                                                                                                                                                                                                                                                                            Function 00007FFE7D10635F Relevance: .2, Instructions: 188COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 1e066cd8d0c384f8bf7e91ef7df5c0132e43fb5ed7ecc9a79243bd7929cf7cff
                                                                                                                                                                                                                                                                            • Instruction ID: 27b7fdbc05334998a1e86c66f742b263f95928c82ef861bc34f9deffd3abbbe6
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1e066cd8d0c384f8bf7e91ef7df5c0132e43fb5ed7ecc9a79243bd7929cf7cff
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1D51C727B1C69F4FE761BA1CA8556F93BA4EF51320F0442B7E46CC71A3ED19A8068781
                                                                                                                                                                                                                                                                            Function 00007FFE7D10B83D Relevance: .2, Instructions: 183COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 321b2b158fd1bea3f6961f4bfd6e7e2a4a685710e5eac470a9032f112d2364c3
                                                                                                                                                                                                                                                                            • Instruction ID: 7b6d4d7113ad192f4fd0641b5b82eebf42b18551e4221465ae0d593aa3954363
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 321b2b158fd1bea3f6961f4bfd6e7e2a4a685710e5eac470a9032f112d2364c3
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0451A630918A4E8FEB68EF28D8557A977D1FF58310F14822FE85DC32A5DF3499458B82
                                                                                                                                                                                                                                                                            Function 00007FFE7D106772 Relevance: .2, Instructions: 169COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: a4245c43d8c2f6d699aaee451a7d6c2a412c08760c931e62c2f131fde0a50fb3
                                                                                                                                                                                                                                                                            • Instruction ID: 856b71459cfe993ea36cd66b7a7753af26162e424c6aaab211d878b11d388c8f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a4245c43d8c2f6d699aaee451a7d6c2a412c08760c931e62c2f131fde0a50fb3
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BD511D26A1C68F8FE7B5EB2898556F53BD0EF55310F0806BBD46DC75F2F918A9058380
                                                                                                                                                                                                                                                                            Function 00007FFE7D108570 Relevance: .2, Instructions: 158COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 4154150b6cd86fe0320761a9c354003b7d6e8242dad76ac9a2d6ca4b5fdcbb77
                                                                                                                                                                                                                                                                            • Instruction ID: acc6ac214f63759272fa301e4872717485ad378711eb9de1e32c700d889ed56d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4154150b6cd86fe0320761a9c354003b7d6e8242dad76ac9a2d6ca4b5fdcbb77
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3451707091891D8FDBA8EB68D498BECB7F1FB59301F1041AAD01DE36A1DB75A981CF40
                                                                                                                                                                                                                                                                            Function 00007FFE7D10794B Relevance: .2, Instructions: 153COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f6efb1617f2204cb02f34031fe6cb31696fed1b0a80563e9a44c0eb64cc57526
                                                                                                                                                                                                                                                                            • Instruction ID: 083f50d9c55674cb24f857da34ed6c1d94cab49a097d025e0773a9d348997f8c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f6efb1617f2204cb02f34031fe6cb31696fed1b0a80563e9a44c0eb64cc57526
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0051D27180D6CE8FD712EB789855AF9BFF0EF16320F0806FAD499DB1A2DA285441C741
                                                                                                                                                                                                                                                                            Function 00007FFE7D10347E Relevance: .2, Instructions: 153COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 8a5ecf80074238522cc95f08d667020237486dd6f3137ae5c9466c39441eb6d0
                                                                                                                                                                                                                                                                            • Instruction ID: d97c821fd1859fe9360731ad75fcee174e41e1a1e7d84a29a6341aadaf58b474
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8a5ecf80074238522cc95f08d667020237486dd6f3137ae5c9466c39441eb6d0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 22518D3090D65E8FDBA5EB68D4547ADB7B1FF16300F2042BEC01DE72A2DA386981CB40
                                                                                                                                                                                                                                                                            Function 00007FFE7D1F0003 Relevance: .1, Instructions: 121COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1444651503.00007FFE7D1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D1F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d1f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 37eac1496725bd1881695aa9af842081073c31688803e4a0363c9d86589de459
                                                                                                                                                                                                                                                                            • Instruction ID: 89a7433af3807e7ecc05b10acdce46b1a85cfe90a65a544682878c54186c48e2
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 37eac1496725bd1881695aa9af842081073c31688803e4a0363c9d86589de459
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1531617071CA0C4FD65CDB0CA495A79B3D1FB98711B50026EE48BC36A5DE25EC428785
                                                                                                                                                                                                                                                                            Function 00007FFE7D101980 Relevance: .1, Instructions: 101COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ffd30333e57d24d6680d90e6c0f7e5a8f6b641de16c4f9be0cbc162a611c6d57
                                                                                                                                                                                                                                                                            • Instruction ID: 2f96766abc567a842f15adfd4eff00159f202c4e2cc088c53881c601ff8d5e3a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ffd30333e57d24d6680d90e6c0f7e5a8f6b641de16c4f9be0cbc162a611c6d57
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 89314031C5929E8FE769AE64D4543FDB7B0AF06300F4015BED05AA72A2EA7C5AC4CF14
                                                                                                                                                                                                                                                                            Function 00007FFE7D1F020D Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1444651503.00007FFE7D1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D1F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d1f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 0b7f9e9f9160ae8580ba0897dc56400a70ca9e7cfd20854f6830b102f1cf91ba
                                                                                                                                                                                                                                                                            • Instruction ID: 02bceaeab377a000e72e96bee9281c8384e624a4384766cf2ad0fca12f246c11
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0b7f9e9f9160ae8580ba0897dc56400a70ca9e7cfd20854f6830b102f1cf91ba
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 76214F7071CA084FDB58DF0CE495A75B3E1FB98711B40066EE58BC3265CA25EC42CB85
                                                                                                                                                                                                                                                                            Function 00007FFE7D104EFA Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f7065d3bddeb077d9c1062304a38936017a80b1f7eb4ff870bbc9fe881b144eb
                                                                                                                                                                                                                                                                            • Instruction ID: 8571569b9605a83c937a897aecff86aef32613e4216bc2d484df007a91f815ca
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f7065d3bddeb077d9c1062304a38936017a80b1f7eb4ff870bbc9fe881b144eb
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7121D832A1D68E4FD712EF6CB8A15EA7BA0EF45320B0403B7E458C71A3DD389816C751
                                                                                                                                                                                                                                                                            Function 00007FFE7D105A78 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 2bd64f231e215515d30dcb7d6f505883aa478a675bd0c5032ca3880f4b924f12
                                                                                                                                                                                                                                                                            • Instruction ID: adacb3bd5a07a717a7ed68f1298936508435abc38da7def01e14194c8def54b6
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2bd64f231e215515d30dcb7d6f505883aa478a675bd0c5032ca3880f4b924f12
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0031C26290D69A4FE766A73864611BD7FE1AF4A310F0806FFE0998B1F3E91C6506C311
                                                                                                                                                                                                                                                                            Function 00007FFE7D1F0018 Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1444651503.00007FFE7D1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D1F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d1f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ebe48b1d0a5de6ed100104ed42284f4fafaf95812ed477576610ab3fbd0940cd
                                                                                                                                                                                                                                                                            • Instruction ID: 90760fe16c7fed4bfad26f01ef36d700421985e4f50c31513d675bfc552aede8
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ebe48b1d0a5de6ed100104ed42284f4fafaf95812ed477576610ab3fbd0940cd
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BA219F7261DA4A8FDB68CB0CD851A74B7D1EF55320B0002BBE09EC72A3DB15E842CB45
                                                                                                                                                                                                                                                                            Function 00007FFE7D107DC1 Relevance: .1, Instructions: 82COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: cf652b217853fcc95ad86766ea1b987c676a80c933054e704509a7c97fedc0fd
                                                                                                                                                                                                                                                                            • Instruction ID: ad188b8ccc51768528a6ed1059febc9f685802ef0caf89d63fa0c439b467455b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cf652b217853fcc95ad86766ea1b987c676a80c933054e704509a7c97fedc0fd
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CA219A71D19A5D8FEB91EBA8D8496EDBBF1FF19300F04056BE008E3262EB346845CB40
                                                                                                                                                                                                                                                                            Function 00007FFE7D101B23 Relevance: .1, Instructions: 81COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 3f5ff0309e3d72c9a5ffca331a9d091dfb30f1238a3eaf260b4a30aeeff4da47
                                                                                                                                                                                                                                                                            • Instruction ID: 25d06461fb982fb8a8e3b8f673787309d93e2f32b1cfde3f0bdf80d032d8face
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3f5ff0309e3d72c9a5ffca331a9d091dfb30f1238a3eaf260b4a30aeeff4da47
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4D311C3090966C8FDB65EB28C8557E8B7F1EF59301F1401EAD05DE72A2DA785E81CF40
                                                                                                                                                                                                                                                                            Function 00007FFE7D1F085F Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1444651503.00007FFE7D1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D1F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d1f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ad37b09acd7b0e071ccb14a88fab0f5e42e2ad4571b9a6024b16f15ba4d9e288
                                                                                                                                                                                                                                                                            • Instruction ID: 5ba1282b6842d6708b0b4d402b6ae3824ef41bc5a7b552a7e277d3e8161bc650
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ad37b09acd7b0e071ccb14a88fab0f5e42e2ad4571b9a6024b16f15ba4d9e288
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AD11047170DA090FD318975CB85A6B8B7D1EB9922034003AFE08FC7276DD15A85383CA
                                                                                                                                                                                                                                                                            Function 00007FFE7D101E23 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 9e88e2544151646cf903893bff4d859981b5563ff4aacb4bd1a3e3c3c2c3b364
                                                                                                                                                                                                                                                                            • Instruction ID: 9fec65071a195a2ce6e31c68f59fa9043fb72c6abffc0174d4b742c2e783a5db
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9e88e2544151646cf903893bff4d859981b5563ff4aacb4bd1a3e3c3c2c3b364
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 02214F70D1962D8FEBA6EB2498457E9B7F0BF18300F4441EAD05CE3162EA785AC5CF40
                                                                                                                                                                                                                                                                            Function 00007FFE7D108372 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 57aed3c1805435af46cb7aec57235acee25c451d5f040b09fb1c00d027a8e7e7
                                                                                                                                                                                                                                                                            • Instruction ID: 8314a0784c60c30c33ec0306a0bfacf7365d9ab06a4c1c04dc112c29b74d2ec7
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 57aed3c1805435af46cb7aec57235acee25c451d5f040b09fb1c00d027a8e7e7
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FB21D531D18A1D8FDBA4EB68D450BACB7B1FF59301F9041BAD00DE7695DB35A981CB00
                                                                                                                                                                                                                                                                            Function 00007FFE7D1083F6 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 8b76879dba69502d600e15d35e043cef031d0e290ed98e56f384d98d58095f29
                                                                                                                                                                                                                                                                            • Instruction ID: 2946ba0798cb3af3c8a5f601b4dac6d5cd5733cd2a11fddce2c311767676dd75
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8b76879dba69502d600e15d35e043cef031d0e290ed98e56f384d98d58095f29
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F2219D7190C65D9FCB95EBA8E098AEDBBF0EF19310F4001AAD05DD7261DA399941DF00
                                                                                                                                                                                                                                                                            Function 00007FFE7D107A45 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 937f3f194dd04f5d6a91d6b67b0f9c4a31f702c4e63d717ccd62adee2c2e65c2
                                                                                                                                                                                                                                                                            • Instruction ID: cf039a888e892427141baec862bc8f587cebfcb7ea668685ab3bf1e74e76723b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 937f3f194dd04f5d6a91d6b67b0f9c4a31f702c4e63d717ccd62adee2c2e65c2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C321D13081EB8D9FD716EB68D8556E97FF0EF06300F0801BBE094DB1A3DA285545CB41
                                                                                                                                                                                                                                                                            Function 00007FFE7D1033BE Relevance: .1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: b603a6a1c55196106e4790c3f65579bd3ea09cfcccfea1e8013d696c0517de06
                                                                                                                                                                                                                                                                            • Instruction ID: 5714e8a8e0c162a61459e3e994cc3fe272c5b24aeb61b7a4f4bd287cb9c4aa42
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b603a6a1c55196106e4790c3f65579bd3ea09cfcccfea1e8013d696c0517de06
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2421A430A0E79D8FD7A6EB2894957A87BB1EF07210F0405EEC08DDB172CA395981CB01
                                                                                                                                                                                                                                                                            Function 00007FFE7D100E53 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6afd1c7d1966339b5eea30e5a37a80742dd492815ccc1f0eb1fc264ea0cc75b1
                                                                                                                                                                                                                                                                            • Instruction ID: 430af38f3501b6353e73a4eb23115e5d163d8a9063eba30cca45f6a60cb0c1b4
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6afd1c7d1966339b5eea30e5a37a80742dd492815ccc1f0eb1fc264ea0cc75b1
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 93115E3191961D8FDB99EF04D4947B9B3A2FB49300F5440BEC01EE31D1DA39AA81CF54
                                                                                                                                                                                                                                                                            Function 00007FFE7D104847 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: bf6a8859fe821f1aa9da4479e52e014f222200c1e020e7a976c83721e01d50a3
                                                                                                                                                                                                                                                                            • Instruction ID: b63fc4ba2d32cdaaaffd0aed332953d5a543735be235833f0fd49616b7371920
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bf6a8859fe821f1aa9da4479e52e014f222200c1e020e7a976c83721e01d50a3
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2601A536A1868F4BE721FFA8A4D51F97790FF51214F040677E458860A3EE28A4568641
                                                                                                                                                                                                                                                                            Function 00007FFE7D1084C0 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 29fb4efd571d62e02366d8b188e63c55796318c4300c5bc8b91a071537109674
                                                                                                                                                                                                                                                                            • Instruction ID: 81033b65ba14e2d388e5a75f047d473147e8884a3c3b366236ae4cbb4a5f5cac
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 29fb4efd571d62e02366d8b188e63c55796318c4300c5bc8b91a071537109674
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7A11A235D1991D8FDBA4EB58D484AECB7B0EF69311F4011AAE01DE7661DA35A980CB00
                                                                                                                                                                                                                                                                            Function 00007FFE7D103593 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 306d6e0af1259fbf49217cffbf2fe45cb3fda5bff93a7c0cc46a09fd05c5c019
                                                                                                                                                                                                                                                                            • Instruction ID: 6a744384d2c6a1f0d353a906118932fb4d7f0ec95b5a39477d9362fec6064c9c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 306d6e0af1259fbf49217cffbf2fe45cb3fda5bff93a7c0cc46a09fd05c5c019
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4A11FA35D18A5D8FDBA4EB18D4857ECB7B0FB15301F4005BA901EE3291DA755AC4CB41
                                                                                                                                                                                                                                                                            Function 00007FFE7D1079DA Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: a6fcd7e791b320de357e2ee6e3321239d8da14310426000afecae9e16a2311c6
                                                                                                                                                                                                                                                                            • Instruction ID: f9ecc46ba64d5c60452fc99684c7851dab6f1fd4d5482cced548fb15af26a25f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a6fcd7e791b320de357e2ee6e3321239d8da14310426000afecae9e16a2311c6
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9701F721A05A8D5FE751EBAC78158FEBBE4DF85212B8003E7D068DB161DD1825438301
                                                                                                                                                                                                                                                                            Function 00007FFE7D101EA1 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 435e594c9cfa4edf05460d1426579364380d26a03965f42ef98cc52f4d11cf10
                                                                                                                                                                                                                                                                            • Instruction ID: 86545ea355e120deb6d785b4bf499c3c7e09e87a0bf490d0aef433b9e9a65765
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 435e594c9cfa4edf05460d1426579364380d26a03965f42ef98cc52f4d11cf10
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A0112E71D1962E8FEBB6EB1498453E9B7F1EF58300F0042F6D05CD7161EA785AC58B90
                                                                                                                                                                                                                                                                            Function 00007FFE7D1F0063 Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1444651503.00007FFE7D1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D1F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d1f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 7f86d33bc7a4023bb74751c7e6f705029aae50c4353c76a49caad85b75c20114
                                                                                                                                                                                                                                                                            • Instruction ID: 65f48007f274fed0ae474dc81a4e075df30820eecc38301e81d25836ff957512
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7f86d33bc7a4023bb74751c7e6f705029aae50c4353c76a49caad85b75c20114
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 29F0447130C90D4FDA58DB0CE841E74B3D1EB5532071102AAE15EC7676DA12EC92CB84
                                                                                                                                                                                                                                                                            Function 00007FFE7D101E7E Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f0e51168d71b7bb9f59ec1eb3935c71822565db0fee3dcd130df0cc23f1573c9
                                                                                                                                                                                                                                                                            • Instruction ID: 67c6154332de80b99fd6c1d5bcf70e93237e28bb6cbf5bec0801dd5e18019f91
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f0e51168d71b7bb9f59ec1eb3935c71822565db0fee3dcd130df0cc23f1573c9
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E8016571D1966E9FEBB2EB7854456A9BBF4FF09300F0402E6D45CD3162EA385F868B40
                                                                                                                                                                                                                                                                            Function 00007FFE7D100C89 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: e1f1cd84c563d569a5babc13c0d2ce56ef4b1a7b8a685246198c22b71851ddb7
                                                                                                                                                                                                                                                                            • Instruction ID: 15bd97991453a0c37674d6278a2a930c86e9792759c8f586f9711247bd7e211a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e1f1cd84c563d569a5babc13c0d2ce56ef4b1a7b8a685246198c22b71851ddb7
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AC01F53290E68E4FE726AB34A4162FA7BA0AF41310F4405FFD459AB1F2DA395A04C741
                                                                                                                                                                                                                                                                            Function 00007FFE7D101EB6 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: a74fc67fad2ab23e2925588989cd765f386c6adb0ac536045a96e0b239e7b812
                                                                                                                                                                                                                                                                            • Instruction ID: df318a62e2a5e523c7fe3c6a8eb7ba0cdfa253f10fb4f71325cd1689e4fa4906
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a74fc67fad2ab23e2925588989cd765f386c6adb0ac536045a96e0b239e7b812
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D61186B1D1962D8FEBA5EB2898457E9B7F4AF19300F4042E6D05DE3252EA385BC5CF40
                                                                                                                                                                                                                                                                            Function 00007FFE7D101895 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 2491c26332b5da6b0b488c6ae159534ae5e775bd0444fdd3203c8ef4ea1bab40
                                                                                                                                                                                                                                                                            • Instruction ID: 8bf6c525d6f3c750ac878d0544db8c3f2e0a9c8f4d741b229b45f55a7be43dd4
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2491c26332b5da6b0b488c6ae159534ae5e775bd0444fdd3203c8ef4ea1bab40
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8B01E531E1966A8FD769EB64D4943A9B7B1BF49300F0005BED01EA76A2DB795A84CF00
                                                                                                                                                                                                                                                                            Function 00007FFE7D100C1D Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 2c6823f5ffc1edbe32cd11ddb4c45adc2e73c3f3467db4c5fb04ccc3e582ba78
                                                                                                                                                                                                                                                                            • Instruction ID: ac31133149ff845c950e09d6826293b102a3ad51546b19fd5550a267637a0c8b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2c6823f5ffc1edbe32cd11ddb4c45adc2e73c3f3467db4c5fb04ccc3e582ba78
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9F01F57050E6864FD71BEB3490292AC7BA0AF02204F0808FFC0659B6F3DA395904C741
                                                                                                                                                                                                                                                                            Function 00007FFE7D1032B8 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 188fdabea8126fe04ee39924718a5d44e3f8a61da253a076a536b870be2e9171
                                                                                                                                                                                                                                                                            • Instruction ID: 1c5bd8a57026e6be41254017d7b85eb81132ebe7033173b7a88bf0a433219c21
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 188fdabea8126fe04ee39924718a5d44e3f8a61da253a076a536b870be2e9171
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 95F0627580CA5D9EDB41EBA490556EDBBF0EF46211F0442B6C058A7162C63C1585CB80
                                                                                                                                                                                                                                                                            Function 00007FFE7D1F059A Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1444651503.00007FFE7D1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D1F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d1f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 71a6350658f4d00d85354668aa54ba0474c7decb9c64da7b974d69eef319db8c
                                                                                                                                                                                                                                                                            • Instruction ID: 2989bf1a42161932656bd2439cec0bf877275cd4d95d9f0db296df45103a22a1
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 71a6350658f4d00d85354668aa54ba0474c7decb9c64da7b974d69eef319db8c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9CF05E31308E098FDB94EA2CC448A29B3D2EB9C30175045BAD40DD3376DE30EC828780
                                                                                                                                                                                                                                                                            Function 00007FFE7D101CC7 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 7188a858df4053bbb6c0cf930c7d7005d138d2e9187f057c12233d66d8ec1c10
                                                                                                                                                                                                                                                                            • Instruction ID: d9b17c9da073dabf2e552b544313e500ceed3eaab003d283ccc4ef0b5b37f1c4
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7188a858df4053bbb6c0cf930c7d7005d138d2e9187f057c12233d66d8ec1c10
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7BF0A430C1D29A5FD722A73884462FC7BF0AF06700F5401F9E095570A3E93C6945CB51
                                                                                                                                                                                                                                                                            Function 00007FFE7D107B33 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: d24089fbf65a553ef832e1e8b6e60c2afe9cbb7a365ae6f06e6d246535f70563
                                                                                                                                                                                                                                                                            • Instruction ID: 00c4f027b4faf0677668ff878611472b4fed0ea55c4b7df5cf382b0f8e6c360e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d24089fbf65a553ef832e1e8b6e60c2afe9cbb7a365ae6f06e6d246535f70563
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B2F09A7191880DDFDF90FBA8D084AECBBB0EF58310F44007AD00DE7152CA38A4808740
                                                                                                                                                                                                                                                                            Function 00007FFE7D1067D1 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: e37efddb29a128bbea7c7be130c859cf7cb05f103dd8122458a45a2233ed5cf8
                                                                                                                                                                                                                                                                            • Instruction ID: c7f3e350e61474430061bbcdeae801448eb154bdffdfbee7ef032b15a6fea276
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e37efddb29a128bbea7c7be130c859cf7cb05f103dd8122458a45a2233ed5cf8
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 78F01C30608A0ACFCB94EA1CC459B5077E1FF68315B5442FAD419CB1A2EA24EC89C740
                                                                                                                                                                                                                                                                            Function 00007FFE7D103BC6 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6d5f4f38f48cf1e883ae19d21f5ef8e9505411c6ddf5a41095f90d2d303a4520
                                                                                                                                                                                                                                                                            • Instruction ID: d82dfef19c17c54b4889cd662997ab0a1da62b44e4c6d5fef447a506886b056a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6d5f4f38f48cf1e883ae19d21f5ef8e9505411c6ddf5a41095f90d2d303a4520
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DAF0A032D0C54E4FDB10EB98E0412FEBBB4DF06300F1006B6E05ED7093CA6861468B40
                                                                                                                                                                                                                                                                            Function 00007FFE7D1F05C2 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1444651503.00007FFE7D1F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D1F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d1f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f2d6cf7b249450812e2ca2d6e9e45f28bc7710bc6db7255fe9911d3b3732384d
                                                                                                                                                                                                                                                                            • Instruction ID: 926bc564f9e14d86641558ff66a458e988061e4d4173fe9b5dd5446909b11e5f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f2d6cf7b249450812e2ca2d6e9e45f28bc7710bc6db7255fe9911d3b3732384d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: ECE01A30314E094F9785EB2C8489A6973D2FB9C701754407AD04AC737AEE64EC468781
                                                                                                                                                                                                                                                                            Function 00007FFE7D101DD1 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 53da7ac88056afcbce1405abe4c0751cd17b1dc543d32bdbeea37f601186623a
                                                                                                                                                                                                                                                                            • Instruction ID: f17d74e14168ad666fd24a857bef1cedaac63498180a5d3c6ef843622a52d57f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 53da7ac88056afcbce1405abe4c0751cd17b1dc543d32bdbeea37f601186623a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1BF0E27084925D8FC316DB749484AAABFF0AF06304F0542F9C4A4AB1A6CB389982C700
                                                                                                                                                                                                                                                                            Function 00007FFE7D101C77 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 477a4432df07b92180d0c5100d363e34d6d688c0cbc34bd46b1b8cd6f0f7c4ff
                                                                                                                                                                                                                                                                            • Instruction ID: 0065d03b7f949ef8471e27185481ac3f852b16b1e56ceffba9f35d188acd121e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 477a4432df07b92180d0c5100d363e34d6d688c0cbc34bd46b1b8cd6f0f7c4ff
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 24F08C3180926D9FD721AA25D8013ECB7F0AF01300F4480A9D058671A2CA795A85CF00
                                                                                                                                                                                                                                                                            Function 00007FFE7D101C27 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 46f78044ea4056bfa803045e1d3eef268de79ed85f66c51a94b81e3c167555a5
                                                                                                                                                                                                                                                                            • Instruction ID: 7faeee330a11b366f94e64cecea21c1040a03d27f8879b63b36adc3615651411
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 46f78044ea4056bfa803045e1d3eef268de79ed85f66c51a94b81e3c167555a5
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B2F0A0718092AD9FD7619B30D8803ECBBF1AF02300F1480E9D04C671A2DA3D5EC8CB00
                                                                                                                                                                                                                                                                            Function 00007FFE7D10192D Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 86017a042daece14a54fd342df9b07d0344c67d72050c5b6f04d87eb72058a02
                                                                                                                                                                                                                                                                            • Instruction ID: 5ec32ce967a2c8cdc1792deea793e2d04f2536a17c3f8c01076c7b47fb039b07
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 86017a042daece14a54fd342df9b07d0344c67d72050c5b6f04d87eb72058a02
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BBE01A719096994FD7A6EB2884557E97BB1EF49300F4005FED01DD72A6CE395A818B00
                                                                                                                                                                                                                                                                            Function 00007FFE7D101F6A Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f7f1d80ee436574fe5c224ebfb5a1216051a7b31ba337f99e5d742550eb5b764
                                                                                                                                                                                                                                                                            • Instruction ID: 96be52e1c5aa6438df0ddd27d9c249eb62e853320cdfef095d9b7063e7bf5e61
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f7f1d80ee436574fe5c224ebfb5a1216051a7b31ba337f99e5d742550eb5b764
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7AD012B251E6D96FD322677464554E9BFF05F0B200B4405E9E0996B173C53DAE42C741
                                                                                                                                                                                                                                                                            Function 00007FFE7D101F8D Relevance: .0, Instructions: 12COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 86df36c40c0e5ce5edcbe3d5c2a6b87f48f6afcc01cd559a47fe22f5cc6cdaa3
                                                                                                                                                                                                                                                                            • Instruction ID: b96aad75c47542abacf795859308ef73afed66a4cf105b4f361147eb38a97b9a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 86df36c40c0e5ce5edcbe3d5c2a6b87f48f6afcc01cd559a47fe22f5cc6cdaa3
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2ED012A100E1D92FD353237854515E67FF04F07110F4C05D9E4A45B0A3D46D59568301
                                                                                                                                                                                                                                                                            Function 00007FFE7D101FAC Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: fc3181657c832815b466fb9d6772518a12b4d116bedc59370582812bd925d36e
                                                                                                                                                                                                                                                                            • Instruction ID: 244514c32d47d6b6661a8eb2db34ab169ba32884c7983029e5333888d3e86a27
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fc3181657c832815b466fb9d6772518a12b4d116bedc59370582812bd925d36e
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 53C08C3082558E9EF3D17B2888543BD37A1EF11301F8804ABE41CA00B3ED7818804700
                                                                                                                                                                                                                                                                            Function 00007FFE7D106E90 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000013.00000002.1443810849.00007FFE7D100000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D100000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_19_2_7ffe7d100000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 1a2c1001a771c574ab3833911d93dda2bd88474e6b2f0840ec5a9017bdfe340d
                                                                                                                                                                                                                                                                            • Instruction ID: 2e0cc3e4f83fc7313fd8874cb947b1fbf0124d15034917273aeeb8fe88f59b00
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1a2c1001a771c574ab3833911d93dda2bd88474e6b2f0840ec5a9017bdfe340d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E6A012027C541E024444308C34410FC714187C50207C45132D80CC0149D84D08C20241

                                                                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                                                                            Function 00007FFE7D0E0C58 Relevance: 11.7, Strings: 9, Instructions: 428COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: 7p)$(7p)$X7p)$x6p)$x6p)$x6p)$x6p)$x6p)$6p)
                                                                                                                                                                                                                                                                            • API String ID: 0-3929562854
                                                                                                                                                                                                                                                                            • Opcode ID: e507cdb9e22748c94229e05dc88c80f58621c5177c6c29845d4bee30102a87bd
                                                                                                                                                                                                                                                                            • Instruction ID: 7c6e229aa8901004e5c1eabb98d58d7b73cd270473f8af4311ff5cd850099cf3
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e507cdb9e22748c94229e05dc88c80f58621c5177c6c29845d4bee30102a87bd
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DEF13A3191861A8FDBA8EF28C4957B9B3A6FF55300F1441BED01DD72E2DE35A981CB50
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E4DF6 Relevance: 6.4, Strings: 5, Instructions: 190COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: [p)$ [p)$ [p)$ [p)$[<P_^
                                                                                                                                                                                                                                                                            • API String ID: 0-2850185077
                                                                                                                                                                                                                                                                            • Opcode ID: 119b29f024bfe66057e5709321a39159e4aa0f8281493697d2da1d593c20db89
                                                                                                                                                                                                                                                                            • Instruction ID: 966a9388c1ee4b3b145754bf4c0132f9c4b7606f3e70b114f0b8c3ddbd532eb6
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 119b29f024bfe66057e5709321a39159e4aa0f8281493697d2da1d593c20db89
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1C614731D1850A8FEB64FF64C4956BDB7A7EF95300F605179E01DE62A2DE78A881CB40
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E4E45 Relevance: 5.1, Strings: 4, Instructions: 145COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: [p)$ [p)$ [p)$[<P_^
                                                                                                                                                                                                                                                                            • API String ID: 0-2943350235
                                                                                                                                                                                                                                                                            • Opcode ID: a0a641e7cf23637605ecfd1b6b9055d3da59bf15129d2392f0c043be8ba6d893
                                                                                                                                                                                                                                                                            • Instruction ID: 290ef04d13ec57f3d6b56118340ea19a95ce734fabeedfbed7948982b222d601
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a0a641e7cf23637605ecfd1b6b9055d3da59bf15129d2392f0c043be8ba6d893
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9A515931D1861A8FEB64FF64C4952FDB2A7EF55700F606279E01DA62A2DF38B841CB40
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E346F Relevance: 17.7, Strings: 14, Instructions: 217COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: [p)$([p)$0[p)$8[p)$@[p)$H[p)$`7p)$h7p)$h[p)$p7p)$p[p)$x6p)$x7p)$x[p)
                                                                                                                                                                                                                                                                            • API String ID: 0-3943649093
                                                                                                                                                                                                                                                                            • Opcode ID: 4e726c06c21440cd67eac82d4fe4270691d3ec458522cb15ae89b3b194e0cb40
                                                                                                                                                                                                                                                                            • Instruction ID: 78d7143a38c1b4c9026396f5aec0c87f245fd0b2007cd411a020d21d209d4bc9
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4e726c06c21440cd67eac82d4fe4270691d3ec458522cb15ae89b3b194e0cb40
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 62814E7191850E8FE754FB68C4966ACBBE7AF94301F6041B9E04DD73B6EE287842CB40
                                                                                                                                                                                                                                                                            Function 00007FFE7D0EA015 Relevance: 11.4, Strings: 9, Instructions: 113COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: @6 }$@6 }$@6 }$@6 }$pD }$D }$D }$D }$D }
                                                                                                                                                                                                                                                                            • API String ID: 0-1982939889
                                                                                                                                                                                                                                                                            • Opcode ID: 05650bb96389c185d72f08e2a3e88f8961eeb2e0daaea28b62753eea25721d79
                                                                                                                                                                                                                                                                            • Instruction ID: b4d16d2423df62b524af91e5fc27852e416863aa95858532556897e74eb0c039
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 05650bb96389c185d72f08e2a3e88f8961eeb2e0daaea28b62753eea25721d79
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 09310F3552CB588FD774EA19D458B26F3E2FB98710F901A2DE09AC32A0D774F9858742
                                                                                                                                                                                                                                                                            Function 00007FFE7D0ECFC8 Relevance: 10.7, Strings: 8, Instructions: 654COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: 0:p)$8:p)$@:p)$H:p)$P:p)$X:p)$`:p)$`:p)
                                                                                                                                                                                                                                                                            • API String ID: 0-2768101128
                                                                                                                                                                                                                                                                            • Opcode ID: a6e383708f57895506b86704aa4ec150b322273e6c349e67147b796dfaf9edf0
                                                                                                                                                                                                                                                                            • Instruction ID: ff3f294c5360776dba49480b629a950597ef0e4bb03a84b7da57976305623658
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a6e383708f57895506b86704aa4ec150b322273e6c349e67147b796dfaf9edf0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7712E430A2C6464FD7689A1C858513A73E3FF95700F24667DE49AC32A2EF28FC138742
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E34BD Relevance: 10.1, Strings: 8, Instructions: 126COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: 0[p)$8[p)$@[p)$H[p)$`7p)$h7p)$p7p)$x7p)
                                                                                                                                                                                                                                                                            • API String ID: 0-3958140327
                                                                                                                                                                                                                                                                            • Opcode ID: 966056d576cbc36d0f9c4502a99b08842816a7fd2e02a1c2cb1ad7ec7691004c
                                                                                                                                                                                                                                                                            • Instruction ID: cb6d360cd1eb40a112231ba054a7f362f5a1aaf6caa845536155df7cd0ebbe4d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 966056d576cbc36d0f9c4502a99b08842816a7fd2e02a1c2cb1ad7ec7691004c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EB41EA71E1850E8FDB54FFA8C4965ADBBF2EF94301F64017AE019D73A2DE64A842CB41
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F1A1C Relevance: 5.5, Strings: 4, Instructions: 489COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: pG+}$pG+}$pG+}$pG+}
                                                                                                                                                                                                                                                                            • API String ID: 0-1568227507
                                                                                                                                                                                                                                                                            • Opcode ID: 4af5d23141b109eb63b1442a66a0fa86b182a7d9f17a825470094c3a87591cf3
                                                                                                                                                                                                                                                                            • Instruction ID: 2df010d091fdb3e962eefd6547790ba938a24c7a4b6ac488dd1d389c43c4cff5
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4af5d23141b109eb63b1442a66a0fa86b182a7d9f17a825470094c3a87591cf3
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 15F10231728A4A8FDBA8EB18C45166973E2FF99304B6446B9D019C7296DF35FC42C781
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E63C9 Relevance: 5.2, Strings: 4, Instructions: 219COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (8p)$08p)$88p)$x6p)
                                                                                                                                                                                                                                                                            • API String ID: 0-2365208277
                                                                                                                                                                                                                                                                            • Opcode ID: d42780a35b9e6c1d612968f9fec0c8fc7e96668ab6736597d0de84b019cf571d
                                                                                                                                                                                                                                                                            • Instruction ID: b0e231a4872bd10507e62ebde3795365c2637a3492d04792e3b0b52b3d1b3f29
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d42780a35b9e6c1d612968f9fec0c8fc7e96668ab6736597d0de84b019cf571d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AB715931D1861E8FDBA8EB18D4947BDB6B6FF58300F6055B9D01EE3291DA74A981CB40
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E45FF Relevance: 5.2, Strings: 4, Instructions: 159COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: x6p)$x6p)$x6p)$x6p)
                                                                                                                                                                                                                                                                            • API String ID: 0-2290288444
                                                                                                                                                                                                                                                                            • Opcode ID: b0a6edbf3c7efeb617d4688082f187bc1b3352abd0e38be85064481523e251fa
                                                                                                                                                                                                                                                                            • Instruction ID: 5258a31cdb6614829aaf79330fb877a2604eec66fa964daff0d8f2c6eae83188
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b0a6edbf3c7efeb617d4688082f187bc1b3352abd0e38be85064481523e251fa
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2A511235519B0A8FDB68EB14C090AA573A2FF54305B6445BDD05EC7AE6DB35FC42CB40
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E74A3 Relevance: 4.0, Strings: 3, Instructions: 246COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: [p)$[p)$cO_^
                                                                                                                                                                                                                                                                            • API String ID: 0-1925929468
                                                                                                                                                                                                                                                                            • Opcode ID: 94b4e30a61c068b357870f6b5891683d4f61a6297e56cf2d0b794a7019515b43
                                                                                                                                                                                                                                                                            • Instruction ID: 588a6ea4cf34cf6daa4fd48f1918016b99a48b5c626dda5a2a03384be194ebf6
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 94b4e30a61c068b357870f6b5891683d4f61a6297e56cf2d0b794a7019515b43
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7191D671D08A1E8FDB98EF58C494AADB7B2FF99300F1051A9D01DE72A1DB74A981CF44
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E5B6A Relevance: 3.9, Strings: 3, Instructions: 155COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: x6p)$x6p)$6p)
                                                                                                                                                                                                                                                                            • API String ID: 0-2964471420
                                                                                                                                                                                                                                                                            • Opcode ID: ad1409745b812571c9be4fe041c0dcb033dcf4591f4afb97ce8349f650f63fb6
                                                                                                                                                                                                                                                                            • Instruction ID: 874b0f2b60161f8a06f5d6cc121e5afeb8885de0418eef7e7f7a1662f9ea5b07
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ad1409745b812571c9be4fe041c0dcb033dcf4591f4afb97ce8349f650f63fb6
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7151183084E7898FD755EFA4C8657E97BF6EF86300F2401EAE048D72A3CA795846CB50
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E5D3F Relevance: 3.9, Strings: 3, Instructions: 115COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: x6p)$x6p)$6p)
                                                                                                                                                                                                                                                                            • API String ID: 0-2964471420
                                                                                                                                                                                                                                                                            • Opcode ID: 6472dfa987610a13a5f43451c07ee146f2068033f5bf364ac46cbcf103cd7815
                                                                                                                                                                                                                                                                            • Instruction ID: a1711d830997293fc417dcae74a77db259f1abf170143ab4318590633b6d190a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6472dfa987610a13a5f43451c07ee146f2068033f5bf364ac46cbcf103cd7815
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DE413D30E186098FDB58EF68C4966ACB7F2FF54701F504579E449D72A6DE34B882CB40
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E5CA6 Relevance: 3.8, Strings: 3, Instructions: 57COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: x6p)$x6p)$6p)
                                                                                                                                                                                                                                                                            • API String ID: 0-2964471420
                                                                                                                                                                                                                                                                            • Opcode ID: 4907f73aa198546ba8387ef772d5b2d3d3d879ce8ef0d30596a4ea1bca91ec6e
                                                                                                                                                                                                                                                                            • Instruction ID: 47887bae32a0504f600faa1a192472d4df6cb99b7f2c5d3e70663058c35e147b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4907f73aa198546ba8387ef772d5b2d3d3d879ce8ef0d30596a4ea1bca91ec6e
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DA113030A1A94A8FEB94EF5CC896AAD77B2EF95301F1005B9D44DD7296CE34AC42CB40
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F1BBE Relevance: 2.8, Strings: 2, Instructions: 256COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: x6p)$x6p)
                                                                                                                                                                                                                                                                            • API String ID: 0-4122661443
                                                                                                                                                                                                                                                                            • Opcode ID: b824dce41b89bb156e359d79c8d913b997f35ed0fa79155416298078fb526c30
                                                                                                                                                                                                                                                                            • Instruction ID: be30ab48b0d5fa3866ef6982df1417a564f96b16ae5b7a43205867709e0f7598
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b824dce41b89bb156e359d79c8d913b997f35ed0fa79155416298078fb526c30
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 14911E31B1894A8FEB68EB58C451A6973A2FF95304FA44678D01EC72A6DF35EC43CB40
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E81AE Relevance: 2.7, Strings: 2, Instructions: 172COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: `[p)$`[p)
                                                                                                                                                                                                                                                                            • API String ID: 0-2096013379
                                                                                                                                                                                                                                                                            • Opcode ID: e41e0be514bf88a8c55efba02047f403ebbabfc3e623f5b40848f3d2b948d55a
                                                                                                                                                                                                                                                                            • Instruction ID: 3702f9cf344fe71921e1bdddb44973ffc4d8c61bc658a7b9c84b31de321696e9
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e41e0be514bf88a8c55efba02047f403ebbabfc3e623f5b40848f3d2b948d55a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1D610A31D1861E8EEB64EB68C8557FDB6B6FF54301F5411BAD00DE32A2EB386981CB50
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E9D55 Relevance: 2.6, Strings: 2, Instructions: 95COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: 9p)$09p)
                                                                                                                                                                                                                                                                            • API String ID: 0-2968261742
                                                                                                                                                                                                                                                                            • Opcode ID: 27e08ce52aa76f66e812c5fabb0919bcbb3037cacfab13c0907f2cc88bde284c
                                                                                                                                                                                                                                                                            • Instruction ID: ad18bad65041fdcbbb4aec4005640a76172f04e224542bb2a2fbb3029aa7fc00
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 27e08ce52aa76f66e812c5fabb0919bcbb3037cacfab13c0907f2cc88bde284c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8E319521E2CE5A4BE5A8BB7890922AD77978FD5700F3505B5E058CB2E7DC18A84283D2
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E51F6 Relevance: 2.6, Strings: 2, Instructions: 93COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: `\p)$7p)
                                                                                                                                                                                                                                                                            • API String ID: 0-1663521903
                                                                                                                                                                                                                                                                            • Opcode ID: 2f5956a4dd6766838697d1cd7a451ef363c836b950e055df738c8a4cff47bda0
                                                                                                                                                                                                                                                                            • Instruction ID: 52ba3281eb1e366d2a01a4c2fd84f071a24b491a4d0808024586b64118e5164d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2f5956a4dd6766838697d1cd7a451ef363c836b950e055df738c8a4cff47bda0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4A215E31D18A5D8FDB54EF98D4556EDBBF1FF6A300F14056AE408E32A2DB74A8418B81
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E5220 Relevance: 2.6, Strings: 2, Instructions: 78COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: `\p)$7p)
                                                                                                                                                                                                                                                                            • API String ID: 0-1663521903
                                                                                                                                                                                                                                                                            • Opcode ID: 547129a62aba2731548e846970fb951be4c70482df9f2bdfce585b1d0c0480a3
                                                                                                                                                                                                                                                                            • Instruction ID: 423f69a4135e6ae95c162b9165e40c0e59ec11dda4fd4a5dc6a22016347cea3b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 547129a62aba2731548e846970fb951be4c70482df9f2bdfce585b1d0c0480a3
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6B211830D1891D8FDF94EF98D4556EDB7F1FF69300F14052AE409E32A2DB75A8418B81
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E80DD Relevance: 2.6, Strings: 2, Instructions: 73COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: X[p)$X[p)
                                                                                                                                                                                                                                                                            • API String ID: 0-3700953799
                                                                                                                                                                                                                                                                            • Opcode ID: 00fee061e1137bc28815eba076737bbda8971f5cea6b2b3ce2eaaddf23d42ea6
                                                                                                                                                                                                                                                                            • Instruction ID: 237b21e6b629c41e6105aec913e3ac8c2a97eaf62a0b7cebc4f81575d83e0c81
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 00fee061e1137bc28815eba076737bbda8971f5cea6b2b3ce2eaaddf23d42ea6
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F5216231D1861E4ADB64EB58C8563FD72A6FF84301F54117AE029E32E2DE386945CB51
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E5E92 Relevance: 2.6, Strings: 2, Instructions: 54COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: 8p)$x6p)
                                                                                                                                                                                                                                                                            • API String ID: 0-700064543
                                                                                                                                                                                                                                                                            • Opcode ID: efa155cbf1244c62fa4e4b371d978ec7ec7ea32d67f689631b58489ad3d692d5
                                                                                                                                                                                                                                                                            • Instruction ID: 7d2e8f6cea4dd11682621bff2a9ce5baebcdd88eaed84f36184d577f3b10bd78
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: efa155cbf1244c62fa4e4b371d978ec7ec7ea32d67f689631b58489ad3d692d5
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 90110A70E1461D8FDB58EF58C489AAD77F2FF58301F5002B9E449D7266DE34A882CB41
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F5353 Relevance: 2.5, Strings: 2, Instructions: 37COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: +&$_)}
                                                                                                                                                                                                                                                                            • API String ID: 0-1701830952
                                                                                                                                                                                                                                                                            • Opcode ID: 391e989b02115b26771c096bd87aaba463c018e87c92a8c72dfc8cf082747559
                                                                                                                                                                                                                                                                            • Instruction ID: 7cba22e78e03597bf80021a49581243ecbc1258b2db07c618edc134fa895df54
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 391e989b02115b26771c096bd87aaba463c018e87c92a8c72dfc8cf082747559
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EFF0902162DE8A0F9BB8E60C905192572D2FF9930075045ADD42EC31A6EE18EC064786
                                                                                                                                                                                                                                                                            Function 00007FFE7D0EE648 Relevance: 2.1, Strings: 1, Instructions: 815COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: {)
                                                                                                                                                                                                                                                                            • API String ID: 0-1783147725
                                                                                                                                                                                                                                                                            • Opcode ID: a0f7901b6b7ff4f4b15d6452991b55bd6f50173cf2221f0013a80ec366d22d2f
                                                                                                                                                                                                                                                                            • Instruction ID: 7488ec48092b548df6afad9b8868b237ef9b89432576885ff46be8dead8e726a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a0f7901b6b7ff4f4b15d6452991b55bd6f50173cf2221f0013a80ec366d22d2f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A6427231A18A0D8FDB64EF18D441AA973E2FF59310F2442B9D45ED36A6DB35F842CB81
                                                                                                                                                                                                                                                                            Function 00007FFE7D0F9C20 Relevance: 1.4, Strings: 1, Instructions: 168COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: p)
                                                                                                                                                                                                                                                                            • API String ID: 0-2446685
                                                                                                                                                                                                                                                                            • Opcode ID: 26d700227d901dba1f44806d07a9cf009bb908ed91a047f7874179eb6c32725e
                                                                                                                                                                                                                                                                            • Instruction ID: a4176f53293a0a838752cc9c0a359b44144636d3fab935ba2aab0a1d60ecff4e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 26d700227d901dba1f44806d07a9cf009bb908ed91a047f7874179eb6c32725e
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C851F431A28A494FE7B9D718A49457A77D3FF5A310F20167ED09EC32A1EB25BC41C782
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F4C24 Relevance: 1.4, Strings: 1, Instructions: 155COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: `7}
                                                                                                                                                                                                                                                                            • API String ID: 0-2886276857
                                                                                                                                                                                                                                                                            • Opcode ID: b7a092ec4001b1a5166db06e1898ca551f045b101180e76781008eead20a1c61
                                                                                                                                                                                                                                                                            • Instruction ID: 4305c678dd192a5fa78b435eee0619d5c45a3d13c18a30fd94452688a50ed4af
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b7a092ec4001b1a5166db06e1898ca551f045b101180e76781008eead20a1c61
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4E412B3261CF4A0FE7689A0C945163577E2EFD6320F04467ED049C32A6EE69FC434386
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E8A55 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: x6p)
                                                                                                                                                                                                                                                                            • API String ID: 0-3265540055
                                                                                                                                                                                                                                                                            • Opcode ID: 66d77170cd6192ea81fca6827b8c129b2735cf555d59d3c61735fed88f5799eb
                                                                                                                                                                                                                                                                            • Instruction ID: e390230f6999bdfa6aceaa0353384bde500153049b62a81b61045defd79950de
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 66d77170cd6192ea81fca6827b8c129b2735cf555d59d3c61735fed88f5799eb
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 50413B31C5D28A8FE725AB6494162F97BF6FF42300F1801BAD058E71A2DB3D6582CB61
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F1E46 Relevance: 1.4, Strings: 1, Instructions: 123COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: pG+}
                                                                                                                                                                                                                                                                            • API String ID: 0-1735005229
                                                                                                                                                                                                                                                                            • Opcode ID: 4e658dc33bc18106cf14b5bb68d383a0782f4e86bafd022c5377fe0a11f871bf
                                                                                                                                                                                                                                                                            • Instruction ID: 7706ccc0b3f3fcbf5aa20b367327c8b27eeda81bdc67d9d951da26b97a2ffe2a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4e658dc33bc18106cf14b5bb68d383a0782f4e86bafd022c5377fe0a11f871bf
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A041833671CA4A8FD768DE28C45166973A2FFD63047644778D01AC71A6DF35F8438780
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E86DA Relevance: 1.4, Strings: 1, Instructions: 115COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: x6p)
                                                                                                                                                                                                                                                                            • API String ID: 0-3265540055
                                                                                                                                                                                                                                                                            • Opcode ID: 75e24499737a7bc5f04cc358aa13b41b2bc70e5cae12316f5c684ad00991842a
                                                                                                                                                                                                                                                                            • Instruction ID: 65b21a5405ab6a2e62b5e81b9f4c1237c2d056710dff615cbe1083f134c98eba
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 75e24499737a7bc5f04cc358aa13b41b2bc70e5cae12316f5c684ad00991842a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8F41F73084D39A8FE755AB64C8157E97BF6EF86300F0401FAE088D71A2CE7D9946CB51
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E38E1 Relevance: 1.4, Strings: 1, Instructions: 104COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: `\p)
                                                                                                                                                                                                                                                                            • API String ID: 0-306781777
                                                                                                                                                                                                                                                                            • Opcode ID: f1f04151954ca365f98e540da22a87b6a839afccbc6e6968751d7aeacacc463c
                                                                                                                                                                                                                                                                            • Instruction ID: df8d9e8004de5fc9a2c114c1657da72224f395cb62022cc29414559624879910
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f1f04151954ca365f98e540da22a87b6a839afccbc6e6968751d7aeacacc463c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 72313E31D18A0E8FDB40EFA8C4966ED7BF6EF55301F1401B6E048E72A2DF38A8418B51
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E8DF4 Relevance: 1.4, Strings: 1, Instructions: 102COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: ([p)
                                                                                                                                                                                                                                                                            • API String ID: 0-1235646470
                                                                                                                                                                                                                                                                            • Opcode ID: ff2a0dc137ab239c4dcdae0c3bd0faef1d4761fe790ae861dcbbc08a38eed137
                                                                                                                                                                                                                                                                            • Instruction ID: b78f1d0f00be57dadb34958ce53a12abe990922ff33f9d18c98ce6b85e7f67e8
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ff2a0dc137ab239c4dcdae0c3bd0faef1d4761fe790ae861dcbbc08a38eed137
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3F319C71D1851D8FDF98EF98D495AADB7B2FF58301F50117AE00DE32A2DA35A841CB50
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E3FCD Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: x6p)
                                                                                                                                                                                                                                                                            • API String ID: 0-3265540055
                                                                                                                                                                                                                                                                            • Opcode ID: df23c847f8d6d4d37645cba7d87b9b113ffca20a21e9a31b806211ef4e29c319
                                                                                                                                                                                                                                                                            • Instruction ID: 20212f2c36f22caf6e83525d8e0293d5432ac7e355a2bd5f0a22b4caaae80355
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: df23c847f8d6d4d37645cba7d87b9b113ffca20a21e9a31b806211ef4e29c319
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A6318F31D1874E8FEB64FF6880553A97BE6EF55301F5001BAE058D72A2DE79A841CB41
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E84C1 Relevance: 1.3, Strings: 1, Instructions: 94COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: x6p)
                                                                                                                                                                                                                                                                            • API String ID: 0-3265540055
                                                                                                                                                                                                                                                                            • Opcode ID: d2f2c8408e99fa3f179e9a36f80b1c59d018a0e7db212d33e2df7c9541a5181b
                                                                                                                                                                                                                                                                            • Instruction ID: bb4e1626a4abdcb37bd39a2c62ad46c2235370e87aa7bc4f55d9b8615b92185c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d2f2c8408e99fa3f179e9a36f80b1c59d018a0e7db212d33e2df7c9541a5181b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 37319371D1864ECFEB64EF68C4562A977F2FF55300F50027AE458D72A2DE38A845CB81
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E885C Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: x6p)
                                                                                                                                                                                                                                                                            • API String ID: 0-3265540055
                                                                                                                                                                                                                                                                            • Opcode ID: 29fa36dbe533b760023f881aa80580b1230ffa7c7697bb0b94599b5e646f1129
                                                                                                                                                                                                                                                                            • Instruction ID: b7fa5a8f838da3bb4ae3f48e745b8487fb7d1d6009ff4f5982245c75e0b0f1bd
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 29fa36dbe533b760023f881aa80580b1230ffa7c7697bb0b94599b5e646f1129
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9B31AE31D1855A8EEB68EB58C4556A8BBA3EF94300F4402BAD45D972A2EE243846CB41
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E05A0 Relevance: 1.3, Strings: 1, Instructions: 74COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: x6p)
                                                                                                                                                                                                                                                                            • API String ID: 0-3265540055
                                                                                                                                                                                                                                                                            • Opcode ID: 83ec01d5ecc05711478a7ed0591fc15c4ccd4afce8c5e86d21520ec06f782679
                                                                                                                                                                                                                                                                            • Instruction ID: 554977cbfebd2f572bc14a923425bb5b1ea6ba3a701cc30b8b7d5b123c0e436a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 83ec01d5ecc05711478a7ed0591fc15c4ccd4afce8c5e86d21520ec06f782679
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C7215E3091861D8FEB68EF68C0557AD7BE2EF99701F500179E049E7291DE74A841CB41
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E8565 Relevance: 1.3, Strings: 1, Instructions: 42COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: x6p)
                                                                                                                                                                                                                                                                            • API String ID: 0-3265540055
                                                                                                                                                                                                                                                                            • Opcode ID: 73b79ff83169d2742d43a687aac1313da81122ec23b2607b3b6ac290b942f399
                                                                                                                                                                                                                                                                            • Instruction ID: 7c2bc72cfeb82e5fc76e0f5424ea14710981a91695d01f5ac8ea63bcccf88aec
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 73b79ff83169d2742d43a687aac1313da81122ec23b2607b3b6ac290b942f399
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 87016D31E1890ACFD758EB98C4965ADB3A3FF95340F5401BAE049E72A2DE34AC438740
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E4099 Relevance: 1.3, Strings: 1, Instructions: 38COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: x6p)
                                                                                                                                                                                                                                                                            • API String ID: 0-3265540055
                                                                                                                                                                                                                                                                            • Opcode ID: 58231fe9856d6eff76152a6b557bcb68c02574f17bd1a80b13befb75f922b45a
                                                                                                                                                                                                                                                                            • Instruction ID: da76a9670af3cfaccdaa51dda0da976ff17d7e9eab3ec47730481a3bb39a9ced
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 58231fe9856d6eff76152a6b557bcb68c02574f17bd1a80b13befb75f922b45a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CF016D30D08A198FE754FB28C4917ADB7A6FFA5300F4041B8D04CD72A2DE34A842CB00
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E3CF0 Relevance: 1.3, Strings: 1, Instructions: 37COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: x6p)
                                                                                                                                                                                                                                                                            • API String ID: 0-3265540055
                                                                                                                                                                                                                                                                            • Opcode ID: dd8ceb5acc712800dfe1c859f36563a3c7bd730996d6cc76a05a3fccc405b1ab
                                                                                                                                                                                                                                                                            • Instruction ID: d82183322b5c9c8006266e43cb2a3eb68f22bb97ec4fc2ab5ddb0e00fd17c8ad
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dd8ceb5acc712800dfe1c859f36563a3c7bd730996d6cc76a05a3fccc405b1ab
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6CF06231E18A0D8FDB54EB5CD4965AD7BA3FF54341F400179E40DE72A2DE34A842C700
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E8B81 Relevance: 1.3, Strings: 1, Instructions: 36COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: x6p)
                                                                                                                                                                                                                                                                            • API String ID: 0-3265540055
                                                                                                                                                                                                                                                                            • Opcode ID: a07f888e06a67e3a3505cd09774cd61e73f81ab2fe6f8a93727a0c15dafe4d1e
                                                                                                                                                                                                                                                                            • Instruction ID: e11bdfcc004d37cb69262e8ad2e24681cdc27c46824ac8c0f2322f601f0fc103
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a07f888e06a67e3a3505cd09774cd61e73f81ab2fe6f8a93727a0c15dafe4d1e
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 30F04F71D1854A8FEB58FB98C4969ACB7A7FF95301F140079D049EB2A3ED24AC42C740
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E87D4 Relevance: 1.3, Strings: 1, Instructions: 33COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: x6p)
                                                                                                                                                                                                                                                                            • API String ID: 0-3265540055
                                                                                                                                                                                                                                                                            • Opcode ID: 30d80fb16b682c5d021bd9882c585a7ea5d5ff23f208196532737550378b6117
                                                                                                                                                                                                                                                                            • Instruction ID: 48ad50dd0fe2802260a77f26ff7d41f524eeb0be1cf57ac39c59ff8e75aaddf1
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 30d80fb16b682c5d021bd9882c585a7ea5d5ff23f208196532737550378b6117
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 07F0F930E0951A8FEBA4FB58D895BA9B3A2FF95301F5041F6D44CD7266CE34AD82CB40
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E5E3D Relevance: 1.3, Strings: 1, Instructions: 29COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: x6p)
                                                                                                                                                                                                                                                                            • API String ID: 0-3265540055
                                                                                                                                                                                                                                                                            • Opcode ID: 30b674d716f7373158c7fdcd6eb98960a4796d7939a2040c027493ef390c47d6
                                                                                                                                                                                                                                                                            • Instruction ID: 03164a0a0e42642934b4639ed8b4f35897f0bc58222ec39400dab19e8bd59812
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 30b674d716f7373158c7fdcd6eb98960a4796d7939a2040c027493ef390c47d6
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4FF09830B1890A8FDA58EB68C09679973A6FFA5351F6445F5904DD725ACE34AC828B40
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E9EBB Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: +%
                                                                                                                                                                                                                                                                            • API String ID: 0-3645226418
                                                                                                                                                                                                                                                                            • Opcode ID: 52eb8facba6849e16dadb92aadbfd908ab3b060a769badb54a54cfd771201ed6
                                                                                                                                                                                                                                                                            • Instruction ID: 5d8a81a3df34a83080d5829e7a775850014d16f11848618507a7a76b234f6e98
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 52eb8facba6849e16dadb92aadbfd908ab3b060a769badb54a54cfd771201ed6
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 48E0EC12F29C1B0AA5A1B36C34561BD41DBDBD4620B481372D51DC6355EE18AD420381
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E7457 Relevance: 1.3, Strings: 1, Instructions: 23COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: [p)
                                                                                                                                                                                                                                                                            • API String ID: 0-641409469
                                                                                                                                                                                                                                                                            • Opcode ID: eaa0cb6c0bdf7f37de205e492f8158d8ae3868a62c78ebec67e855b16cd324ba
                                                                                                                                                                                                                                                                            • Instruction ID: 429197ff6673de36b6d72027eb01b3dcec34ff7fc29050e20313a0f09c1941e6
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: eaa0cb6c0bdf7f37de205e492f8158d8ae3868a62c78ebec67e855b16cd324ba
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EBE09261D2480E4AF760FB18C45A3BC62B3FF90240F1446F5D04DE21A2EE742D824B00
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F04FD Relevance: .3, Instructions: 261COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 42270c164a22e969d9e66172c8d5de6b834e11348e1c97f2fff50f27d978a6c2
                                                                                                                                                                                                                                                                            • Instruction ID: 53f67ee84181740f919a9a63580d6345fc67887bdfcd6ad711f5491d7b583b32
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 42270c164a22e969d9e66172c8d5de6b834e11348e1c97f2fff50f27d978a6c2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D891413192CB898FD7A4EB58C044769B7E1FF99300F504A79E45EC72A2DB74E886C781
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F1B77 Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 2bd8b7ed7dd4adbe960958503e2fbf3d2a5c831038b2baa2f0e633b1634381a3
                                                                                                                                                                                                                                                                            • Instruction ID: 8306795a65593aed14d3fcb439af39198795f11e08a22324f486e0e9e01c2e11
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2bd8b7ed7dd4adbe960958503e2fbf3d2a5c831038b2baa2f0e633b1634381a3
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 86611335B18A0A8FE768EB68C451A69B3A2FFD5304B644779D019C7196DF35F843CB80
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F50B8 Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 555d92833268617fbb4eb6b14b65fec4ae6e80f98b5cd174fd12a0c50f573a0d
                                                                                                                                                                                                                                                                            • Instruction ID: 6a1ad75e58788f84aafafa4182037fecf5d6bcc4f83ebde304c5a5880dcf89d0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 555d92833268617fbb4eb6b14b65fec4ae6e80f98b5cd174fd12a0c50f573a0d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4C61CB32A0C79A4FE765E76CE4915ED77E0EF92324B0C4677D058CB1B3DE28A8468781
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E4107 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 2fbc53b8d8925a4e3927c9a2d307728c70670538533aabf1c69f96dedddbbda5
                                                                                                                                                                                                                                                                            • Instruction ID: fecfdb8d64b0b16f2f67c9dbf8c0a6cbb9747ffbade9b0b847e92ebd7669fed7
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2fbc53b8d8925a4e3927c9a2d307728c70670538533aabf1c69f96dedddbbda5
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C251E632C1D55F4BEB34AA74D8056FCBBAAEF92310F44137ED46D971E1EA28F40A8640
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F05A6 Relevance: .2, Instructions: 171COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 06c777f7dbbcc9f452ef2f45c2c796619813ca2a17a9c58646fbcf053dd213f0
                                                                                                                                                                                                                                                                            • Instruction ID: d56c3c14119b697858bab7e7c9c7a31b6b1b8e081c91b9bd60ddbf7a97f7654f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 06c777f7dbbcc9f452ef2f45c2c796619813ca2a17a9c58646fbcf053dd213f0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8651733192CA8A8FDBA4EB588041BA9B3E1FF95300F544579E05EC36A6DE38F846C741
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F0B70 Relevance: .2, Instructions: 168COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 9d7869dfe632dc65e0de01392a709f332cfb320fc47852579bfd2e2f9f9aed2e
                                                                                                                                                                                                                                                                            • Instruction ID: 698eb2c7b4e2cce95d4ee9b1ee3fcfd63f7a5c27a35747702f831c22705f3ff9
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9d7869dfe632dc65e0de01392a709f332cfb320fc47852579bfd2e2f9f9aed2e
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AB51743192CA8A8FDBA4EB58D040BB9B3E1FF95300F544579E45EC76A6DE38F8468740
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F0B8C Relevance: .2, Instructions: 168COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 3ad0bd26c636f396dca08422957283f8e0db4371631e99d8fe5905c192905789
                                                                                                                                                                                                                                                                            • Instruction ID: 5cb2d29666195cde8d187605d999bd96743b9a026f71f6f5cd85b6c8384d7879
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3ad0bd26c636f396dca08422957283f8e0db4371631e99d8fe5905c192905789
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AA51743192CA8A8FDB94EB189040BA9B3E1FF95300F544679E45EC36A6DE38F846C741
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F72CA Relevance: .2, Instructions: 168COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: e54ffa8802c9cac7fe08d13e0ce38204b80eabc5541b4f4c0b1171c6a1060929
                                                                                                                                                                                                                                                                            • Instruction ID: 87e678d2cf4849637fb5f30639a12af0cb5d3178a24a9f1f24cab213a673cb03
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e54ffa8802c9cac7fe08d13e0ce38204b80eabc5541b4f4c0b1171c6a1060929
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 00418F3172CE4A4FDAA8EA08905167973D2FBD9300F640A7DE45DC32A6DF25EC428781
                                                                                                                                                                                                                                                                            Function 00007FFE7D104340 Relevance: .2, Instructions: 151COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 0b74bdc4886b47bb4a022dc3b3f9a23219ed94acf6ab3b361275b04e5fb41c18
                                                                                                                                                                                                                                                                            • Instruction ID: fb2a4fb253ffbdca0231dc9e409442a1e235f2d7241290913475ed53aeb2bd0c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0b74bdc4886b47bb4a022dc3b3f9a23219ed94acf6ab3b361275b04e5fb41c18
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2A41A831A28E0A4FD764DA3CA4947A573D2FF94310F54867ED4AEC72A6EE34F8418780
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F3F90 Relevance: .1, Instructions: 146COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 8e39fd526d3e75726117867c81b014ab2f16ef8d45c19709f31e93816d0d7b5d
                                                                                                                                                                                                                                                                            • Instruction ID: c7ab183ab356cf49a8f1bab665135c2f7950bbd07697353b89841724bad556e9
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8e39fd526d3e75726117867c81b014ab2f16ef8d45c19709f31e93816d0d7b5d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CF41A331A18E1E8FDBA8DA58D48567A73E2FFD5310B144679D019C72A5DF35F8428B80
                                                                                                                                                                                                                                                                            Function 00007FFE7D0EA007 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 4441737559e970b3f85e3ea3c288bdb9e286c652be5be242a12525d9af7874af
                                                                                                                                                                                                                                                                            • Instruction ID: ef9b6ee7c367d1c206a0dab7f758c0bf21f2c184f6e9226234be97fddfbe664e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4441737559e970b3f85e3ea3c288bdb9e286c652be5be242a12525d9af7874af
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 22418131628A4A8FEBA5EB2DC054E7673D3FF55300B1846B9D05AC76B2DE28F841CB40
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F7939 Relevance: .1, Instructions: 131COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: d4f7611fdc7e49a83c9b0ab39b72386df0f46fddbbfe60f32cd9dc7f906703c5
                                                                                                                                                                                                                                                                            • Instruction ID: a923a20ce1a3d9b2fbe0274bb07b228fd581b450abbe1da86406e0c238665668
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d4f7611fdc7e49a83c9b0ab39b72386df0f46fddbbfe60f32cd9dc7f906703c5
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F341183151DA8A4FD765EF28C440A7577E1FF96304F180AF9D099CB1A3EB29E842C750
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F102B Relevance: .1, Instructions: 128COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: fac06662950661fe1906b8db7d0408b1922c76d59e908e3f3a33ebb2b59dabaf
                                                                                                                                                                                                                                                                            • Instruction ID: a3f4f70d70019310e3e08f05fd494b1abf6bafda8bec547955c04c840f3b5b87
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fac06662950661fe1906b8db7d0408b1922c76d59e908e3f3a33ebb2b59dabaf
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F131A031B2CF4A4F9B65EB1C9401569B3E2FF98700B54067EE85AC3265EF20FC028782
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F1E5F Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 9522456f13b30686ee32c9b28a5c080eb55245cc1fc45f369e4f035fe657b860
                                                                                                                                                                                                                                                                            • Instruction ID: 18e15e81419ee7baa40867eccb3cdeb81dfaf4f1371dfe534d640849b0200d58
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9522456f13b30686ee32c9b28a5c080eb55245cc1fc45f369e4f035fe657b860
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 54415336618A0A8FD769DE18C45166973A2FFD6304BA44778D01AC71A6DF35F843C781
                                                                                                                                                                                                                                                                            Function 00007FFE7D0EA092 Relevance: .1, Instructions: 104COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 0deb27c0ae4b326cb755b7e9db41f6fa2f5689e071fd40a844ff348bb4690b5d
                                                                                                                                                                                                                                                                            • Instruction ID: 90fed705fe15a7c8735890a5aee738543f4e773bb224e48db2372f3d38719a0e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0deb27c0ae4b326cb755b7e9db41f6fa2f5689e071fd40a844ff348bb4690b5d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9921C7317189084FEBA8EB6C9458B7637D6FFD5321B2501BEE45DC72A2EE11AC02C381
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F1FA1 Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 2cfc0a5c2aafc1999e2a0ff7c077857a74c87208c754c3dc4758003d2a8c6b05
                                                                                                                                                                                                                                                                            • Instruction ID: d1aff0d59ffaede01d72c6f564156d301f8930bf1a39677cd8e9786c3b7b25f9
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2cfc0a5c2aafc1999e2a0ff7c077857a74c87208c754c3dc4758003d2a8c6b05
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D6317336A1CA4A8FE768EE18C45167973A2FFD6304B604778D01AC72A6DF35F8438780
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E57CE Relevance: .1, Instructions: 90COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 7f90a94811d0db8e06a13763c362a23b67bb31f47a51f088ec20050f0a3d72ec
                                                                                                                                                                                                                                                                            • Instruction ID: dab539382af7599251fa4a531c2e4db901659008ad4ee4bdae9c2c286149cae8
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7f90a94811d0db8e06a13763c362a23b67bb31f47a51f088ec20050f0a3d72ec
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B6214B31D1950A8FDB58EB68D0455FCB7B7FF89300F602979E009E32A2DA79A841CB00
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E8AA5 Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: b47571411a6af041802119f8e72594bb40022b028d04d1eb6112eb672d91f984
                                                                                                                                                                                                                                                                            • Instruction ID: 0ea024d6924d22f0c6e7b205804d9baae9666a1b39b6e6fc450e526b5edb2832
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b47571411a6af041802119f8e72594bb40022b028d04d1eb6112eb672d91f984
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AC21F57185D3C98FE756AB7088162E57BB5EF42310F0902BBD088D75A2CA2C2546C761
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E893E Relevance: .1, Instructions: 86COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: df7f9c57a1b2333f216f631e96820d8c270d7ff80c822fe0a88f15ac43d935de
                                                                                                                                                                                                                                                                            • Instruction ID: 4e898f79c9d5646bf42de1106ce9c8f27e2ed97c688a311ceaeadc18743fe4a0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: df7f9c57a1b2333f216f631e96820d8c270d7ff80c822fe0a88f15ac43d935de
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D721E232D1958F4FE774BA1594052FCB7A7EFC2310F1823B9D16C975A1EA2928868750
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E425B Relevance: .1, Instructions: 84COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 91706099127c1a904441b3a9677f1c9b0051327d0d8826b060816f23da93999e
                                                                                                                                                                                                                                                                            • Instruction ID: b7bad874b1c3bf0d9db62bab11bae073f0bb98d8ba7892f2873eea8139bd3659
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 91706099127c1a904441b3a9677f1c9b0051327d0d8826b060816f23da93999e
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2E21F33289E3C64FD3235770A8121E57F799F43211F4A12EBD098DB4A3D11DA58AC362
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E89A5 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 42b90e86a20134a1c7ceab50d511399cdb0bbb9cf59d29510fc5d167c705422d
                                                                                                                                                                                                                                                                            • Instruction ID: 00d7c853c8e06ae32dc1e8c470a43634d4fa5a9cb67ba5a3dcb0ac6487a495cb
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 42b90e86a20134a1c7ceab50d511399cdb0bbb9cf59d29510fc5d167c705422d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5A21B231C1864F8BE774BA1590406F8B7ABEF86310F181279D06CE71A1EA35B985C750
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F35F3 Relevance: .1, Instructions: 73COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 3983f2a10e8bc070413694731cf8bb2e933110a6aecea53b90e031436759ecda
                                                                                                                                                                                                                                                                            • Instruction ID: b0bc20786735f521c86e4cc6f41a1f794cfd93c9fbccad83588cfa110d9a8c6b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3983f2a10e8bc070413694731cf8bb2e933110a6aecea53b90e031436759ecda
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5821C631A2C9864FE269AB288451679B3D3EFE6700B184679D01DC76B7EF38E843C340
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E8E3E Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: e3479ea0eb01cf23ab5d168e98053c5cd2cc0cddbdd473f3ae2788fc4474e9fb
                                                                                                                                                                                                                                                                            • Instruction ID: efa02abc82bb668fdf5c4ccd6544522ad504bdbffe9be91e4f28ab5892cfc1db
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e3479ea0eb01cf23ab5d168e98053c5cd2cc0cddbdd473f3ae2788fc4474e9fb
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 30219C70D14A1D9FDF94EBA8D495AACB7B2FF59301F500179E04DE3262DA35A882CB00
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F20ED Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 9d04031fc8466d8a9cb059db8da0033719feb3e628f61efb1c5dc457a7a6e9a2
                                                                                                                                                                                                                                                                            • Instruction ID: d060f58f4e1b8e8e67c65bd874e02ce4177013b62c6cf798139d8bbf503d1d92
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9d04031fc8466d8a9cb059db8da0033719feb3e628f61efb1c5dc457a7a6e9a2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6011D636A1CA0A8FE768EA18D4416B873A2FFD7310B604779D41AC7196DB35F85387C1
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F3AA6 Relevance: .1, Instructions: 65COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6aabc2183e0574ffe2a50c3bca946189202ea68128f0179b05724b1817d2a2b7
                                                                                                                                                                                                                                                                            • Instruction ID: 07faf22d7afef209971f73a670172e4a9b86fb074b7e72b032d4f470b7d3b241
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6aabc2183e0574ffe2a50c3bca946189202ea68128f0179b05724b1817d2a2b7
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BE115E32B1C91E8FEAA8EB1CD4557A973D2EFD9310F1041B6D11DC72B6EE24AC468781
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E3C3D Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 2f43d5a06ba3b77e804dcdf64384082856da95f389ebe77ec21fa6dda470d46f
                                                                                                                                                                                                                                                                            • Instruction ID: fbd8b52796a26c5edb61c4de5932d2566719c096278cdcfb61d1f2c8aa45224f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2f43d5a06ba3b77e804dcdf64384082856da95f389ebe77ec21fa6dda470d46f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0311D031D1874E8FEB68AF6880153A87BF2EF55701F24017ED049D72A1EB78A841CB41
                                                                                                                                                                                                                                                                            Function 00007FFE7D0EA01F Relevance: .1, Instructions: 62COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 49b782876909149b92e0573e09d5b2ec8717f4f9d3f214ba8675f4070cc28e5e
                                                                                                                                                                                                                                                                            • Instruction ID: c4df5dab8c2b3a8e5c261147f25c4178c0a449f57ab4171b9e47401f2d2b7b87
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 49b782876909149b92e0573e09d5b2ec8717f4f9d3f214ba8675f4070cc28e5e
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5E110C70518B489FE778AF28C84DBB777E5EBAD311F11452EA48DD3261EF3068458742
                                                                                                                                                                                                                                                                            Function 00007FFE7D0EAEAF Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 9f7e2c8891114208e24c9ae57f8d16c1f7bcab1c488966271529333935d4b013
                                                                                                                                                                                                                                                                            • Instruction ID: bba2225b61b469954b7f41ebfd445cd0a98e6aab7dd4ebb1ae2185c149ffa6e6
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9f7e2c8891114208e24c9ae57f8d16c1f7bcab1c488966271529333935d4b013
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7801DD31A1C94E0FD7A5EB2C844567577E7EFA9310B0842BAD44DC76A2EF18FC068751
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E3AA5 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: d7796eed24f08d8891784bcf183e597ced7ff693412062ac60bc9e836ae60ea4
                                                                                                                                                                                                                                                                            • Instruction ID: c3cf67c980aecbe0fe45b5524e00a54b820e6d745cde13fd49408fa37e9dd186
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d7796eed24f08d8891784bcf183e597ced7ff693412062ac60bc9e836ae60ea4
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 02118231A19A498FD755FF68C4966AE7BF3FF95300F541179E008D72A2DE34A841CB41
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E09D0 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 00355a52d02b5f3b8e1a68a21c729d3c428f4acd26fecead1c3db840d9c234f6
                                                                                                                                                                                                                                                                            • Instruction ID: 780e731aeb4fda8ecdf50cce012c82e26d67f3ca82e021a1c4719bf1054b44b5
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 00355a52d02b5f3b8e1a68a21c729d3c428f4acd26fecead1c3db840d9c234f6
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C6114C30A18A0D8FEB50BF68C0596AE77B6EF55710F500176F049E73A6DE34A842CB81
                                                                                                                                                                                                                                                                            Function 00007FFE7D0EAF5E Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: d8802ffa80537c8583579ebb3d35c7a8a011b8bb585f43022025b67389eedccd
                                                                                                                                                                                                                                                                            • Instruction ID: 32b3f7bbf0d954d6e05c84ed1f47167331643807face265cff0a8a44de595543
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d8802ffa80537c8583579ebb3d35c7a8a011b8bb585f43022025b67389eedccd
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8511AD7181D7CE4FDB56AB7888281A97FF1EF4A200F0805EBD458CB1A3EA6868148752
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E7DB9 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: bf7f51435db7e5b10b98db247118c3c2184949c046a76444c888d56e26295c17
                                                                                                                                                                                                                                                                            • Instruction ID: 5961387f9c2a8381f17c2f02893f631e6b3b4c543587c352183d170a5da6b73a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bf7f51435db7e5b10b98db247118c3c2184949c046a76444c888d56e26295c17
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6811BF32C1925A4FDB65AB24C4153FE77B2AF49300F0015BAD014E32E2EA386904C790
                                                                                                                                                                                                                                                                            Function 00007FFE7D0EA610 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 8f2e133d9072a356117a0ee6212d348615d50087aab58331559e7244e7a1cc72
                                                                                                                                                                                                                                                                            • Instruction ID: e7e03609faf23a7e9b41701dd0c1f59c3db58cfa775787d7e7ab6f3d36947408
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8f2e133d9072a356117a0ee6212d348615d50087aab58331559e7244e7a1cc72
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 78F0A431B1890E0FDAD4E66D944477672DBEB9D310F41127AE40DC3266EE19E8108381
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F2247 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: c6a6b37c0bf7b708e71bcf390ad0c396b1ce803722eed4e89f581b4d654284e0
                                                                                                                                                                                                                                                                            • Instruction ID: e0ac907ab16b217bcb04b0e5c09462501b82746bab7340737fcd4c68349a8c63
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c6a6b37c0bf7b708e71bcf390ad0c396b1ce803722eed4e89f581b4d654284e0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6901D633A2CA1A8FEB74AA08A4421FC77D0EFE7360F500736D509C3152EB25B89346C1
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E4228 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: c667ca817d23aa906a0600842e4230aa13a726aa76ae0b63456d8124ac333d4a
                                                                                                                                                                                                                                                                            • Instruction ID: f8fa85aa168b4a012f42e9ccfeb5b2de499dc81c28ebadbb8285a6922545e56a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c667ca817d23aa906a0600842e4230aa13a726aa76ae0b63456d8124ac333d4a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8FF0F636D5450D8BD720AEA4E4003F8F7B9EB82354F40213AC01CE7150E73AE595CB44
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E8A22 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f4a76e89d087e8057814ed1ac1f617b032e3c5a8dc95500b1a4df0fb48b4304a
                                                                                                                                                                                                                                                                            • Instruction ID: 471ca260ebd3f2daabd493cd15e5a25f1cd839693d56d0e612c49042ae9990bc
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f4a76e89d087e8057814ed1ac1f617b032e3c5a8dc95500b1a4df0fb48b4304a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 67F0F036D5864E8BE730AE55F0002F9F7BAEB82310F04213AC01CE7150E73AA995CB58
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E9CE0 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 17204250ddfcd1125b436830b31ebf33e6afe695178dd94d93a30e5fdec0c13e
                                                                                                                                                                                                                                                                            • Instruction ID: d6164cc407003a9bbe48fad6e533a4581cecdfe4e40b0c173eec6fd2c60c235a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 17204250ddfcd1125b436830b31ebf33e6afe695178dd94d93a30e5fdec0c13e
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B001F717E1CAAA0AE226F36DB8965DCBF95DFC2120B0855F7C0088A0E3DC0879898391
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F5433 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 8c55c514a66a4ef78bdc5c5188d03bca1ad4336f71895bbffae986d561f187d2
                                                                                                                                                                                                                                                                            • Instruction ID: b8115a81478b8f918d90ebbaa5728f7025870457c2de8428bf09b597643d94cb
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8c55c514a66a4ef78bdc5c5188d03bca1ad4336f71895bbffae986d561f187d2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 78011D31728E4A4F9AACEA1C9051A3972D2FFE93143A0057CD01EC76A6DE25EC428791
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E87B9 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f616c1123ad30f6ac0133fa0478fc6ff6fe945cc7cafe429151dc10e0bb1574a
                                                                                                                                                                                                                                                                            • Instruction ID: fd177e6b9e5e81a4bff609aa478ce978a925fd97fefcd4fb39769eaec0f946da
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f616c1123ad30f6ac0133fa0478fc6ff6fe945cc7cafe429151dc10e0bb1574a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EF01D430E1861A8EE758BF6881453BC77E2FF65741F54017AC08DE72A1DE386442CB40
                                                                                                                                                                                                                                                                            Function 00007FFE7D0EB0E0 Relevance: .0, Instructions: 42COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 427c725f55197bfecec4a0cbc3e6289ac9b65bcdf38ed4c212f196300d122a1c
                                                                                                                                                                                                                                                                            • Instruction ID: 47e81f1cb7c933cea401ce8669dcaf599aa9d73a26478af18337e9ef0376bb77
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 427c725f55197bfecec4a0cbc3e6289ac9b65bcdf38ed4c212f196300d122a1c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 18F0EC12B2DD0F0FB1D9BA5C350527D61C7EF88A71F946377D40DC2166FC18A8424244
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F180D Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f1876399cd49a3864519669679f085d942ee11dd6aa80ae032cfd09b87155e0d
                                                                                                                                                                                                                                                                            • Instruction ID: 80feeb02fcbddb88cf8aaf3e67820175294545bf9d4c0722007ff028ed071d32
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f1876399cd49a3864519669679f085d942ee11dd6aa80ae032cfd09b87155e0d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 62F09633A1C6094EFB29DA58E8425FC73E4EB81321F50057BC00AC21A2FA25E9568BC0
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F10FA Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 37e5351640a635517be29c9c79db296b04505b9961f2c62916bec5ab2fa2f3a5
                                                                                                                                                                                                                                                                            • Instruction ID: 17819def8feb8d548550e7df9d5c7d526ef1b8a8b48ec6f9f5d01dc815a76617
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 37e5351640a635517be29c9c79db296b04505b9961f2c62916bec5ab2fa2f3a5
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 25F0547161C7484B67049E0CA8460EDBBE1E789A25F00072FF585D3211DF31B8434686
                                                                                                                                                                                                                                                                            Function 00007FFE7D0EB0FA Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 49d97f84b062afa4269d79b95ab320137c95db0b4c7b49e7e1e081e79e6c8472
                                                                                                                                                                                                                                                                            • Instruction ID: bc3f122f71ae66840527cc617597b9c08ad3836c67fd4bc7a8d29c6771dbbfb4
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 49d97f84b062afa4269d79b95ab320137c95db0b4c7b49e7e1e081e79e6c8472
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4EF0EC12B2CD0F0FE6947A6C350517C61C7EB48661F8423B7D40DC31A2FC2968428244
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E2EA6 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 31fb46dd1c854a7de4d21c8352ef5f428e9c74ced770b0d5a2e4ff7f8f119ef3
                                                                                                                                                                                                                                                                            • Instruction ID: c455c593e345adc9c71fb02f8fcfbb9bfc747ecc23915f1b270c8fecfd0bda5d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 31fb46dd1c854a7de4d21c8352ef5f428e9c74ced770b0d5a2e4ff7f8f119ef3
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EFF0197292899F4BEBA4EF28C8446EDB3A6FF54200F44567AD42DD32A6EE3478518740
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E4B1D Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: da311b32cb78a907cca2a9f7741e730b58eb77bbdb82505fa33a2c9452e15c11
                                                                                                                                                                                                                                                                            • Instruction ID: 41d8e5d9a5e0c137d70f0a1c42b17b251ecbe5f90f70564bf73e5da012ebff0a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: da311b32cb78a907cca2a9f7741e730b58eb77bbdb82505fa33a2c9452e15c11
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8501213180968E8FEB64EF24C8413E93BA2FF56300F0115BAE81CC72A2DA79E814C740
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E5F0A Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 88195fbc5924aa95b05b9790a587e42b921c5ca0354948008c75cef5fa1fcc65
                                                                                                                                                                                                                                                                            • Instruction ID: f0ad604f819c1ae968814eaf464de5fd2ee726825d571157b1efb4e045fe8eab
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 88195fbc5924aa95b05b9790a587e42b921c5ca0354948008c75cef5fa1fcc65
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D8013171D0461D8FCB58DF98D4906EDB7B2FF84311F40013AD419EB295DA346846CF50
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E3E50 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 046fb5d1a02d9c2f0efa566224013a8fd0bc93b8017a3ef3eedc736b603d3488
                                                                                                                                                                                                                                                                            • Instruction ID: 830b3374f3591c7def35857912c3476ef9599ae3d341586a9f3b1a22034c1343
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 046fb5d1a02d9c2f0efa566224013a8fd0bc93b8017a3ef3eedc736b603d3488
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 39F08C31C1460D8BD724AE65E0003F9F7BAEF4A306F442179D01CA2290D37AA595CB14
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E4DCF Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: b0a3b1af738b16d5af9e5599b12c1cc445c370f347a844c72f4bb3d08e007630
                                                                                                                                                                                                                                                                            • Instruction ID: 852d0e5e0bd787310b61779f18db46d49bd01860ae5c6c569afd4a3aba9f2436
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b0a3b1af738b16d5af9e5599b12c1cc445c370f347a844c72f4bb3d08e007630
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9EF0E130D0591D8FEB94EB28D451BACB7B2EF85300F5081BAD00DE76A1CE75A885CF00
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E25BE Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ba0ff816442191f9987e8543356e2732be41221c9ee577404dc682e8fbfd1e91
                                                                                                                                                                                                                                                                            • Instruction ID: 61806032ad407d852f81a53848ca7146fe1a7f4fb58caa63818d7f42bb19b8f3
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ba0ff816442191f9987e8543356e2732be41221c9ee577404dc682e8fbfd1e91
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C3F01431A1852D8EDFA4EB68DC89BE9B3A6EB59300F0012F6D00CE3161DE346A81CF41
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E8CE8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 43d7fcf9171058ebe83b579ac3018a1dd24f8f044264d3cb8c5d1bcb945c0716
                                                                                                                                                                                                                                                                            • Instruction ID: 853a31138460bd1edb18975c74818ed4283ab0c9762047b7183c3e62a61df3f0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 43d7fcf9171058ebe83b579ac3018a1dd24f8f044264d3cb8c5d1bcb945c0716
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0FF0A031C4960E8FCB24AE54A4003FCB3B9FB4A205F403339D00CB3190E379AA94CB14
                                                                                                                                                                                                                                                                            Function 00007FFE7D0EAE42 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 3ae3157105988fb62ce343370ecea23cc59486e9df9828e3b6ce7352996bc4db
                                                                                                                                                                                                                                                                            • Instruction ID: eaf8a00701b1c5d218099c44392498f4997104b0a59fc10145506dd43782f98c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3ae3157105988fb62ce343370ecea23cc59486e9df9828e3b6ce7352996bc4db
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F4F08221764D0F4FDA94FB1C90505BEB3D6FFA8300754557AD01EC369AED28F8424740
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E7F94 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 430c991ade3124ba62c4d2f8f1c99581ce35f1f901e021f411fe4996b3cc7b5b
                                                                                                                                                                                                                                                                            • Instruction ID: aafd05990251211036a43527ed796a7a11492c40ef74b8b41447bf9b2b60dd30
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 430c991ade3124ba62c4d2f8f1c99581ce35f1f901e021f411fe4996b3cc7b5b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B2F0DA3191590E8FEBA4EF68D851AADB7A7FF88200F502539D01DE36A2DE756C42CB00
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E46DB Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ae419b61ada9c099fc484b19acb898c218b4420e158a45fd03bf0778a2b30a16
                                                                                                                                                                                                                                                                            • Instruction ID: 5897cd3e9475ddfc0b9b72598fe20bffce92fd760691e410cca0014ffb7d3312
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ae419b61ada9c099fc484b19acb898c218b4420e158a45fd03bf0778a2b30a16
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CBF0FFB4524A4E8FE794EF28C894BA977E3FF58304F500569D429C72A2DF35E816CB00
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F7555 Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: a5854e1498e9354291b80a8b4c4467bd728607c866b0e32a7e8cccb57bf02e2e
                                                                                                                                                                                                                                                                            • Instruction ID: 6ba60abe07ebae7351682999903c0052aff4f7d19931025f41fcd8955bae3dce
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a5854e1498e9354291b80a8b4c4467bd728607c866b0e32a7e8cccb57bf02e2e
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 34F01231628A4A4FDA98EA18C050A7972D2FF95304F64457DE45AC75E6DE38F842C780
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F3AEC Relevance: .0, Instructions: 35COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 81865019a9e6b4ab060710281b771562b638dd39ca02f8b7777bb0f4b3b95866
                                                                                                                                                                                                                                                                            • Instruction ID: eb101e0313069636c64c70d4bf285ff0b96d2b3200a2e9bef65f49d7279932ec
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 81865019a9e6b4ab060710281b771562b638dd39ca02f8b7777bb0f4b3b95866
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 80F0123261C81E4FDF98E64CD451BE873A2EF58350F1441B6D11DD72A2DE25EC42C781
                                                                                                                                                                                                                                                                            Function 00007FFE7D0EAFA8 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 9d177b1ab918f468acedb3fab411446cc43a8b8ceaf8833ba7ad56f51a7401a8
                                                                                                                                                                                                                                                                            • Instruction ID: 8955f970383b603305da2df126acbfeaaa2964c44d81f19b7d120b86e2d7e5c8
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9d177b1ab918f468acedb3fab411446cc43a8b8ceaf8833ba7ad56f51a7401a8
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 71F03031D24A4E4FDB98EF6888495FE7BF1FF58241F00056AE82DD3261DF7565148740
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E7EE7 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 3d7b5f0d9da2fb8087bc130096a5628abf7d1a6fbf392e2f550e50d95182ba3a
                                                                                                                                                                                                                                                                            • Instruction ID: 44e1578004bde17623b8bc679e0488af45e9b4928e8cf194f81e83edd15e4c8e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3d7b5f0d9da2fb8087bc130096a5628abf7d1a6fbf392e2f550e50d95182ba3a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BDF08230A1868D8FDB98EF58C4919AEB7B2FF84305F504679D05AD7249DE35E803C740
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E8EF6 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 8110807bdcc9f1922160c8905a0cd79386dae792f3f897c80f0a6e83189eaa53
                                                                                                                                                                                                                                                                            • Instruction ID: 1240b9f97c7c930b2aa93d0e77d028a04664f26a101b3b8c1c8f4f54340fe688
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8110807bdcc9f1922160c8905a0cd79386dae792f3f897c80f0a6e83189eaa53
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 64F0B771E2896E8EDBA4EB5894457EDB3B7FB99301F5011BAD41DE2291DA3468408B00
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E4D55 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 83132eae8c65d99e12068cdacbeca0d3392f6375133d535aceb229adc7721f81
                                                                                                                                                                                                                                                                            • Instruction ID: 0c292a90f0972459b20f3ff60bd252c0f5ba328e3aa57a56255264b03872ae16
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 83132eae8c65d99e12068cdacbeca0d3392f6375133d535aceb229adc7721f81
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4CF0FE30D1C94E8FEB68FB689455ABDB6A7EF59304F60217DD019D72A2DE64A8408B00
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F7758 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 5c51d180d45621b57c95678a4465ce8a2d885eec5ba33e4ac5b91a5f593196cf
                                                                                                                                                                                                                                                                            • Instruction ID: c0aab0ba968644428d8ced734bf7bb3aa4a97a1b255eb7a722b83faabcb0f149
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5c51d180d45621b57c95678a4465ce8a2d885eec5ba33e4ac5b91a5f593196cf
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 99D05B6375D61A0E65A8954C78032F5E3C2C7C717025442BFD49EC7A97FD47684301C8
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F773F Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ff54c16a4491b2a1d28176c319caa381145af4ae4d74f1095b985adac675e9a5
                                                                                                                                                                                                                                                                            • Instruction ID: 97ef7942ed4a8ccd83c71ed1faa7e342d6b47a48038b46d3ba84961c6635bcf3
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ff54c16a4491b2a1d28176c319caa381145af4ae4d74f1095b985adac675e9a5
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 06E0EC63B6DA2D0A61A8615C38021B5A2C2D78657175507BBD89E8269AED076C9301C8
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F4CFF Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: be34910a327cdfd23f7b76d3b07896443fc03d0118d06a55e0175c236b2806e0
                                                                                                                                                                                                                                                                            • Instruction ID: e4ac53dd0f708a063b1e0509e570f9cf42962d117f22891cc34b5c89420bdb5b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: be34910a327cdfd23f7b76d3b07896443fc03d0118d06a55e0175c236b2806e0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 09E0C2B271EB1C0A2108950C78031F8B3C2E7CA570744436FE18AC2216EE16689301CF
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E504A Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 32ccc79f859d7d4876c6b5bd553ccbbf54a2711117e059a5a7ccb99ff9dd03f5
                                                                                                                                                                                                                                                                            • Instruction ID: bd573f1192e4de28412456986b48f875f7016f13a8bc02c4aeef1293e48fc2ff
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 32ccc79f859d7d4876c6b5bd553ccbbf54a2711117e059a5a7ccb99ff9dd03f5
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CBE06D31E0892D8EDBA4EA58E850BFCB376FB46310F0001B6D00DE3661CF316986CB41
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F776E Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 92003cc30978ae815eb59df2949f0b34715f788fb16815d26cca2f89a528e06b
                                                                                                                                                                                                                                                                            • Instruction ID: 6f8bbed5171c1dc18e10a67475807b6b858d125264bdce2afdfb8aa1601773ba
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 92003cc30978ae815eb59df2949f0b34715f788fb16815d26cca2f89a528e06b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F1D017B3B9C61E0E668CA51C78031F873C2DBC2270744867BD55AC299BEC1BA8874285
                                                                                                                                                                                                                                                                            Function 00007FFE7D0EA9CE Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 2745dd4dd5cfb79fa9fef5a50dd01817dd8a5d6027c8a4f9e9c783b2e210f78d
                                                                                                                                                                                                                                                                            • Instruction ID: d4011db63ab7f8d4c807d6e3c85c88bacfadc5c15ef968ec44fc731993c7f4bb
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2745dd4dd5cfb79fa9fef5a50dd01817dd8a5d6027c8a4f9e9c783b2e210f78d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CFE0D802F5CA0B0AF661615D65811FC6387CF5D260F1516B7C01EC10B7ED4C38970341
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F4D49 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 48e095a4617026295ec42bf2526b99fdd080b1fa0318b3e2c111d43cdc5f4fc2
                                                                                                                                                                                                                                                                            • Instruction ID: 2a1d1f32b0260bd7877d0e6ba8614046ebf73d72a0160ad967ce7c82c3b3782a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 48e095a4617026295ec42bf2526b99fdd080b1fa0318b3e2c111d43cdc5f4fc2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D5D05E6275DB4D0E2148910C7C076F9B3C2E3C6530740126FE18AC2246FE4A289301CF
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F59D0 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f690f3515435d89e0e8eff87daa3cf35cc5e95c8ef9c59d0d9002eefd5d1fdfb
                                                                                                                                                                                                                                                                            • Instruction ID: bc788af0410e7cbfc09f65a2c536fbb2b3a8cc077ba0aad270e81ddfd656f0ae
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f690f3515435d89e0e8eff87daa3cf35cc5e95c8ef9c59d0d9002eefd5d1fdfb
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7CF09871628B488FE794DF28C054626B6D2FFDC211F504A6E909AC3390EB30D842CB41
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F4CC4 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: c2c07bca186c70d4021a0abb7c1005fc4a4574f67140c26764e7af7426db3bcf
                                                                                                                                                                                                                                                                            • Instruction ID: ddc89a04a017b25d1922e28377d936f84c0c6c710f4ca3edd9c468ebe7274adb
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c2c07bca186c70d4021a0abb7c1005fc4a4574f67140c26764e7af7426db3bcf
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 58E04835728F490B5DB4990D5455A7633E3EFE8700714463DD44AC3259EE25FC4783C2
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E9C6D Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 379ce5c45818587d33da106bb7705ae8e19b52846dfdabddd9650ed1afcb8cf1
                                                                                                                                                                                                                                                                            • Instruction ID: 33166dd99d5e8d76c355dc5c625207264e8a51c1523232b30137d372d905e0e4
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 379ce5c45818587d33da106bb7705ae8e19b52846dfdabddd9650ed1afcb8cf1
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BDE01213F2DC1B2691B4726D38466BA0487DBC9660B591373FC1DC3259ED08AC8302D1
                                                                                                                                                                                                                                                                            Function 00007FFE7D0EA0A5 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 5dc6de4e6859b04f913d56432613d2044060b0537cf5b0b18d3015f40bc7fc4c
                                                                                                                                                                                                                                                                            • Instruction ID: 63f62933f9eb207678a14773ea05a5ca6fe16530f2e45841f7284bcd9f4a0c7e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5dc6de4e6859b04f913d56432613d2044060b0537cf5b0b18d3015f40bc7fc4c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 77E06832E1120AD3C7007B98B8115FEB765EF80361F5000FBD02DC7552DE2020228790
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E5727 Relevance: .0, Instructions: 27COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: d8521a967db358de00b48c4aefae29d6ea3397ed9347a6df124887908c15a27a
                                                                                                                                                                                                                                                                            • Instruction ID: 9e5bd6ae23c8c924600d72bdc65801e06abca2f4b58803069486a1719512e79b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d8521a967db358de00b48c4aefae29d6ea3397ed9347a6df124887908c15a27a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 67E0373685D54B8AE7247A54A4961F97697FF52300F042935E46C421A2FD597524C381
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E7E7B Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 1947e04d2b039e7d524b64437f60d19d7367ad3162e46f2cbe8ecb9fa7ea9372
                                                                                                                                                                                                                                                                            • Instruction ID: 1078cb9a7658f80a2fa3ff30e22e84ad035b72795dd5b189da76a899c19d3bbb
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1947e04d2b039e7d524b64437f60d19d7367ad3162e46f2cbe8ecb9fa7ea9372
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D2E0ED70A2894D4F9B48EF58D8449EEB7A6FF88344F144769E04ED3185DA34A9438B84
                                                                                                                                                                                                                                                                            Function 00007FFE7D0EAF29 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 2b01cfa1453f28224ec0500c851b91cec3056df512eb35f043266e4f84cb480b
                                                                                                                                                                                                                                                                            • Instruction ID: cd12e7d4ffcb1ca13347a04a104619a450f4e4b8e4caff0ab8d341e8728175b4
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2b01cfa1453f28224ec0500c851b91cec3056df512eb35f043266e4f84cb480b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AAD01722B5C50A0EE688A5ACB8002B9A3C6E7C9320F41167EE14EC2286ED1A98520241
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F5638 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 57499cd212532f9acb75aae9a4b17e31dfef7d0243ab07ef68f4409e7f9478c6
                                                                                                                                                                                                                                                                            • Instruction ID: 31ba944430551098f72dd687ed2313c297122458148ce0442c5d4d7c354c353b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 57499cd212532f9acb75aae9a4b17e31dfef7d0243ab07ef68f4409e7f9478c6
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D3E0CD33F1C6090AFF585989F4416FC73E0EB91325F000037D66997151DE2674174740
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F2CEF Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 2fbaef63635131209ea90f9bec55a16b4269977842066704f3e346790bd6cb86
                                                                                                                                                                                                                                                                            • Instruction ID: c86907946b20b94462bc10a7039cdced4ebc34a40c8c98c9b2668970d79a7768
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2fbaef63635131209ea90f9bec55a16b4269977842066704f3e346790bd6cb86
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E6E08666B289095FD365D63C98052A637D2EFE9700B24836EC429C3255EE2598036792
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E8075 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 330761cd89381ef91dfa30d94cdcb09ef42e7131ff147c7761396797440e40ef
                                                                                                                                                                                                                                                                            • Instruction ID: 7542ce32a4c37451a71b65ceae112f0a46aeb2f1aa4a84913488d80de45db90c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 330761cd89381ef91dfa30d94cdcb09ef42e7131ff147c7761396797440e40ef
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0BE0E531E0481C8EDB54EB68E4417ECB7B1FF44201F4000BAD00CE3662CB3569818B00
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E4BBB Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6ca02508e67e38eecbe586c95d4eaaf745bb3408f2d0f80af24a9a900c985b89
                                                                                                                                                                                                                                                                            • Instruction ID: 2eb439393327901386146dfcd98ccc7af39a2ffefb022cd20b36833d7e2669e0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6ca02508e67e38eecbe586c95d4eaaf745bb3408f2d0f80af24a9a900c985b89
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D9E09A3680844B5AEB10FB2CD0921FC7BAAEF84210F5012F5D8198B063EE2578428640
                                                                                                                                                                                                                                                                            Function 00007FFE7D0E8010 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6019167653172887d3ced69da78a066fee3746550695094b04991b664dbe19bb
                                                                                                                                                                                                                                                                            • Instruction ID: 9c3f34105f269359585f488250d916ac25b9dd3a72010e5b2ca2b15cc95fa3af
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6019167653172887d3ced69da78a066fee3746550695094b04991b664dbe19bb
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 71E0BF3091491D8FDB58EBACD4A5AECBBB2FF58244B44017AD009D7662DF755842CB00
                                                                                                                                                                                                                                                                            Function 00007FFE7D0EAE68 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: dcc66aa2007e86f7e5702c1dd31d93ad7b060d539ae70590e0b925d356cf36a8
                                                                                                                                                                                                                                                                            • Instruction ID: 3859a71604cb203dd32af92f32a9be645c656900300b6cdc25fc58d9f933ff13
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dcc66aa2007e86f7e5702c1dd31d93ad7b060d539ae70590e0b925d356cf36a8
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3AD0A501754D4F0A9E49B62C70555FD73C7DFD91507891477D40EC3597DC1D54834340
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F7399 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 0bcca5acaacbd55304aa24ab10e02bb50639b10f8f74d1735410b34c4e0bc2c0
                                                                                                                                                                                                                                                                            • Instruction ID: 0b99b34f237f7c6571fee641e377f6f9389e471c3d2dcb34ead499a239558c6a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0bcca5acaacbd55304aa24ab10e02bb50639b10f8f74d1735410b34c4e0bc2c0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6DD01226628F4F4B9AA097585001625B3D2EB947507550668D499C3155EF38EC034781
                                                                                                                                                                                                                                                                            Function 00007FFE7D0EA139 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: a2ad21b486153e093e4ed2085e073b2f14d75f4a8d4cb3e1f47f94142e2e5751
                                                                                                                                                                                                                                                                            • Instruction ID: d70c48e044eb823f8c08e1a542753bf786f471f81ad9414983cfa57d9a27174f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a2ad21b486153e093e4ed2085e073b2f14d75f4a8d4cb3e1f47f94142e2e5751
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A4D0173090090EDFDB04EF5498964EDBB66EF45200F5440F5E45EA25A2DE7429A28B40
                                                                                                                                                                                                                                                                            Function 00007FFE7D0EBB71 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: d1ebf88f757f5a96c18f5a10c51eb9268b3597f1400070d3c5b634efb298c1b1
                                                                                                                                                                                                                                                                            • Instruction ID: 7e2efdd81ba01ea4579d197e13ece14046c5e07a27d0649fe92e81046e18de5d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d1ebf88f757f5a96c18f5a10c51eb9268b3597f1400070d3c5b634efb298c1b1
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 42D05E20D3864F4FE799FB6C88611FDA6AABF84200F1445B7E02AD21E7ED6C28018700
                                                                                                                                                                                                                                                                            Function 00007FFE7D0EBC38 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: b695bb38505475c046df68fca5e2655c61797e12d44705e1111e84b07621cefb
                                                                                                                                                                                                                                                                            • Instruction ID: 8ae69589ca328484a36d3b01b17beabbf5b168b4c41683697780658345c7cd88
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b695bb38505475c046df68fca5e2655c61797e12d44705e1111e84b07621cefb
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4ED09E20D2450D5FDB44E7A894916ECB7F6FF4C210F585075D009F7196DE246441C710
                                                                                                                                                                                                                                                                            Function 00007FFE7D2F17BF Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ca2ddc837607768cbb9944b2f61c823f0e542b4fc21e01046f4d9b52bc1fde73
                                                                                                                                                                                                                                                                            • Instruction ID: af48bc74e6d4c7f3c85dd4cf826b9f8ecbc8e97f1112faf99b8b5b030d77f397
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ca2ddc837607768cbb9944b2f61c823f0e542b4fc21e01046f4d9b52bc1fde73
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AED0A77260E6C54FE39EAB38482E0967ED19F5211030404FEC086C72B1DB190406DB14
                                                                                                                                                                                                                                                                            Function 00007FFE7D260FEE Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543271441.00007FFE7D260000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D260000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d260000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 248bc9522fa87b7765a8ab343dc8a94de4879f1ccb594663cc74154ff75aa407
                                                                                                                                                                                                                                                                            • Instruction ID: 33bc690dfe06dc902975e86ffdb2e7f291ac9801ce36d8fae1fa519636aa5d30
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 248bc9522fa87b7765a8ab343dc8a94de4879f1ccb594663cc74154ff75aa407
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 75D0A932C0441E9F8F10EAA098804EDB770FF54200F404212C01893140CB316695CB80
                                                                                                                                                                                                                                                                            Function 00007FFE7D0EAA80 Relevance: .0, Instructions: 11COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2541891430.00007FFE7D0E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0E0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d0e0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 4b1f2de93bc6cd36bd1c690c1dbf0c41a51da2cfe7812464520a67fcc684e447
                                                                                                                                                                                                                                                                            • Instruction ID: bbf89fd314a682c4b0d96030c563146ff618c78549a50f2108e68b7229d4b4eb
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4b1f2de93bc6cd36bd1c690c1dbf0c41a51da2cfe7812464520a67fcc684e447
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F1C08C20864A0E4BC628B7694542018B290FF0C200FC402A4E00CC2250EA2DA0504705

                                                                                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                                                                                            Function 00007FFE7D2F42A0 Relevance: 8.8, Strings: 7, Instructions: 56COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000014.00000002.2543896213.00007FFE7D2F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D2F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_20_2_7ffe7d2f0000_AteraAgent.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: x6p)$x6p)$x6p)$x6p)$x6p)$x6p)$x6p)
                                                                                                                                                                                                                                                                            • API String ID: 0-2963955784
                                                                                                                                                                                                                                                                            • Opcode ID: 18f35f9db9e1075e19edf1d749b93d7cf809fec752128facd809c66b558b6702
                                                                                                                                                                                                                                                                            • Instruction ID: cee7178eb6c4093a190d07aca4554588cfc2a9d2685e898003eaad56c05ac0fe
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 18f35f9db9e1075e19edf1d749b93d7cf809fec752128facd809c66b558b6702
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 06111C3196854687D558FF18D4514EEB3F5EFA13007554676E08B879AACE24BC43C780

                                                                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                                                                            Function 06DE746A Relevance: 20.9, Strings: 16, Instructions: 920COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: aq$$&`q$(__q$4'_q$4'_q$4'_q$4'_q$4c_q$4c_q$@b_q$|-`q$$_q$$_q$c_q$c_q$aq
                                                                                                                                                                                                                                                                            • API String ID: 0-1497698772
                                                                                                                                                                                                                                                                            • Opcode ID: 4d33d0821652a23c4d9090aeea641f455478463e4683791562da14c0c9c12293
                                                                                                                                                                                                                                                                            • Instruction ID: ed37f155d4a01685f8602dd2cb45fe6b5fd3b333b4ee309b0a09976c97bf4c8e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4d33d0821652a23c4d9090aeea641f455478463e4683791562da14c0c9c12293
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 86A21734E41228DFDB259F64C994AEEBBB2FF89300F1045E9D50A6B264DB355E85CF80
                                                                                                                                                                                                                                                                            Function 06DE74C0 Relevance: 20.9, Strings: 16, Instructions: 867COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: aq$$&`q$(__q$4'_q$4'_q$4'_q$4'_q$4c_q$4c_q$@b_q$|-`q$$_q$$_q$c_q$c_q$aq
                                                                                                                                                                                                                                                                            • API String ID: 0-1497698772
                                                                                                                                                                                                                                                                            • Opcode ID: 6c81a5c9d95e57a2874bba1b30cfb61a1892022863b5c33105f5e5476c9786a5
                                                                                                                                                                                                                                                                            • Instruction ID: 7309f94a1dd993b3dba1dd9f5ed5d65f83f7ac9d21be07c74dd331e06a5a3575
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6c81a5c9d95e57a2874bba1b30cfb61a1892022863b5c33105f5e5476c9786a5
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3C92E734A4022CDFDB259F65C985AEEBBB2FF89300F1045E9D50A6B264DB355E85CF80
                                                                                                                                                                                                                                                                            Function 06DEB688 Relevance: 6.5, Strings: 5, Instructions: 225COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq$\;_q$l;s$?s$|^q
                                                                                                                                                                                                                                                                            • API String ID: 0-4021651019
                                                                                                                                                                                                                                                                            • Opcode ID: 094afde3e9736c6b220c051bf58f9a22a2ad449a1174c9e9c0e7ca242651d1f0
                                                                                                                                                                                                                                                                            • Instruction ID: d9ad60fcc3b97bfe95275a46cb21bd60fa4ae569cee47335e0c9fc4ef1056c2d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 094afde3e9736c6b220c051bf58f9a22a2ad449a1174c9e9c0e7ca242651d1f0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1561F974F442164FD744A76A8A9067FB7ABBFC4750B10802BD946C7398EE34EC0287E1
                                                                                                                                                                                                                                                                            Function 06DEB9F8 Relevance: 5.3, Strings: 4, Instructions: 278COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq$(cq$(cq$(cq
                                                                                                                                                                                                                                                                            • API String ID: 0-2810926966
                                                                                                                                                                                                                                                                            • Opcode ID: 4b378073e161d0bc9733f222dd3c1ebf3efe7e6e5a74aa2fcebcea6f3c1fb49f
                                                                                                                                                                                                                                                                            • Instruction ID: 628b39b8746d0cebf2a72fb33e3f6a48de42eaf9c42b056522b40ad4a1152fa1
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4b378073e161d0bc9733f222dd3c1ebf3efe7e6e5a74aa2fcebcea6f3c1fb49f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4D91F035B441148FDB44EF79D950AAE7BE6EF84210B1480ABE90ADB3A0EE34ED01C7D1
                                                                                                                                                                                                                                                                            Function 06DE85C0 Relevance: 2.9, Strings: 2, Instructions: 438COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq$d
                                                                                                                                                                                                                                                                            • API String ID: 0-2114257692
                                                                                                                                                                                                                                                                            • Opcode ID: 10c629d9a1eddc4ea1104a2ad4d8af4b916e170cd9b80f22e28befe46faf7888
                                                                                                                                                                                                                                                                            • Instruction ID: dd4aa12f0d267768ebcc6399f9b83d9d6bcf5af1158c6d6e498f564e240bd52f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 10c629d9a1eddc4ea1104a2ad4d8af4b916e170cd9b80f22e28befe46faf7888
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FD029A34A006058FD764DF19C58096ABBF2FF88314B25CA69D85A9B3A5DB30FC46DB90
                                                                                                                                                                                                                                                                            Function 06DE6C20 Relevance: 2.8, Strings: 2, Instructions: 339COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq$|7s
                                                                                                                                                                                                                                                                            • API String ID: 0-3792521395
                                                                                                                                                                                                                                                                            • Opcode ID: 3a5af6348ace93eabeff4a7efe4869fb06ba7f6c8b3cbd02f9aec42e91bcbccd
                                                                                                                                                                                                                                                                            • Instruction ID: 377d94dee50f201d12c4238ca83acae9426d1b2fb3262ffa0c7cbdc116fd0c42
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3a5af6348ace93eabeff4a7efe4869fb06ba7f6c8b3cbd02f9aec42e91bcbccd
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3CC1B030B002558FC758EF69C454A6EBBF6BFC8700B248869E5469B395EF31EC41CB91
                                                                                                                                                                                                                                                                            Function 06DE30EC Relevance: 2.7, Strings: 2, Instructions: 223COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq$LR_q
                                                                                                                                                                                                                                                                            • API String ID: 0-2711968010
                                                                                                                                                                                                                                                                            • Opcode ID: 8f925c06a76c92495347705d457a8875d5bf6b5f8f484adfef2ec308fe10c622
                                                                                                                                                                                                                                                                            • Instruction ID: 8f1971d5426b1be89ff0a7a76e6f18e2c7c96f349737c063b23ffa589ef4ee44
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8f925c06a76c92495347705d457a8875d5bf6b5f8f484adfef2ec308fe10c622
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D7610834B183545FEB99BB789C5437E3FA6AF82610F0644AEE442CB396DE74DC0583A1
                                                                                                                                                                                                                                                                            Function 06DE1630 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: $_q$$_q
                                                                                                                                                                                                                                                                            • API String ID: 0-458585787
                                                                                                                                                                                                                                                                            • Opcode ID: 52b9c792bd2143be4e4355c60c5baeca1b0e1b848d2375efeb5f80793488f9e2
                                                                                                                                                                                                                                                                            • Instruction ID: 5535ffb27d1ff12571e4aa3f5f0adeb8285ea8b4f3249d6e25837cffc50ccf3d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 52b9c792bd2143be4e4355c60c5baeca1b0e1b848d2375efeb5f80793488f9e2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2F51ED71B002099FCB54EFB8DC506AEBBF6FFC9650B14812AE415DB364EA308D42C7A1
                                                                                                                                                                                                                                                                            Function 06DE4EC0 Relevance: 2.6, Strings: 2, Instructions: 143COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq$4'_q
                                                                                                                                                                                                                                                                            • API String ID: 0-1561623490
                                                                                                                                                                                                                                                                            • Opcode ID: 2419c3ae62238d4439b2dd6c3459052489965c385ffeb8905170b9114d7fc3a2
                                                                                                                                                                                                                                                                            • Instruction ID: 6b2b9d3e58b7c0a8bdef571f44b2bd31d029030ff7c7d1249b5e70bcf026728e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2419c3ae62238d4439b2dd6c3459052489965c385ffeb8905170b9114d7fc3a2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E541BF30B042558FCB49EF79C4506AE7BE2BFD474472089A9E4058F399EE30ED0687E1
                                                                                                                                                                                                                                                                            Function 06DEEA88 Relevance: 2.6, Strings: 2, Instructions: 121COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq$T;s
                                                                                                                                                                                                                                                                            • API String ID: 0-3422692073
                                                                                                                                                                                                                                                                            • Opcode ID: 09d1b7daf9a8d5615ff7c065a3dc577e22d753aa9bc53288e74f4e264f039906
                                                                                                                                                                                                                                                                            • Instruction ID: e498eb40894b5742a95179144011695223c31a0099259152efc4676c653d62be
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 09d1b7daf9a8d5615ff7c065a3dc577e22d753aa9bc53288e74f4e264f039906
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B831F230B103158FDB48AB2ED4559AFBBA7EFC46547104579E94ACB390EE30DC028BA1
                                                                                                                                                                                                                                                                            Function 06DEAEBF Relevance: 2.6, Strings: 2, Instructions: 88COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq$,cq
                                                                                                                                                                                                                                                                            • API String ID: 0-1849304749
                                                                                                                                                                                                                                                                            • Opcode ID: 6ff1aeeeacd26ce49c3eb2661e77fd43e0803300768fbb8c82ebac1040bb028b
                                                                                                                                                                                                                                                                            • Instruction ID: a3e227265d190d5e330a86353629479d81a8c90c798dbcd7ea3139074f7dbfb7
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6ff1aeeeacd26ce49c3eb2661e77fd43e0803300768fbb8c82ebac1040bb028b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 062127367196624FCB96777DA82446E7B96DFC696131940EBE50ACB3A2DD04CC0183E2
                                                                                                                                                                                                                                                                            Function 06DE99B8 Relevance: 1.6, Strings: 1, Instructions: 324COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq
                                                                                                                                                                                                                                                                            • API String ID: 0-301743287
                                                                                                                                                                                                                                                                            • Opcode ID: 2a6d8b6827df57ea96ee195505cedb98337dd91bcbfe055529e4a5cf3bb75545
                                                                                                                                                                                                                                                                            • Instruction ID: 31d5f87fc0c5040434bfab1f50e1abb4f1d129529cc9b0fb7ae87c89f8919f62
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2a6d8b6827df57ea96ee195505cedb98337dd91bcbfe055529e4a5cf3bb75545
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9BE12734E003598FCB45DF68C898A9DBBF2BF89304F148195E849AF265DB70ED45CB90
                                                                                                                                                                                                                                                                            Function 06DEE1F0 Relevance: 1.6, Strings: 1, Instructions: 323COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (Adq
                                                                                                                                                                                                                                                                            • API String ID: 0-319377459
                                                                                                                                                                                                                                                                            • Opcode ID: 31196ca64a686d15c2e8def81a53fca72e9312e8d86dd2a2e50c1564a6276b63
                                                                                                                                                                                                                                                                            • Instruction ID: 748d01b256f68fa8c035857d9ce9119dd14f9e968f6149de43a6eba88ff40ac4
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 31196ca64a686d15c2e8def81a53fca72e9312e8d86dd2a2e50c1564a6276b63
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B0C16F30F102159FDB54EFA5D954AAEBBB2AF88304F144429E406EB395EF74DC06CB91
                                                                                                                                                                                                                                                                            Function 06EC9FE0 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 06EC9FF8
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504416641.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6ec0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID: 6842923-0
                                                                                                                                                                                                                                                                            • Opcode ID: 38fa4f7366d655ba6e5368a005f7fe54784240d9501d30540d49be4d27fbf83e
                                                                                                                                                                                                                                                                            • Instruction ID: a1da978f360154b48cbdffdaeb611296f9302fbf9196f83b4ac1e00d064b18b6
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 38fa4f7366d655ba6e5368a005f7fe54784240d9501d30540d49be4d27fbf83e
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A5112735E013089FEB609A7DD5513EDBBB5EB893B8F148139D51593290FA32980ACB50
                                                                                                                                                                                                                                                                            Function 06EC9FD0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            APIs
                                                                                                                                                                                                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 06EC9FF8
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504416641.0000000006EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EC0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6ec0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID: DispatcherExceptionUser
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID: 6842923-0
                                                                                                                                                                                                                                                                            • Opcode ID: a0e9a27ca0c4a6d9c7e920f7498f99018f759664742b2add5031c2eafcbac4b2
                                                                                                                                                                                                                                                                            • Instruction ID: bbd1516409a78ad23d5ed80f269c520551535f56e947edff0a73a1bc71ca11ee
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a0e9a27ca0c4a6d9c7e920f7498f99018f759664742b2add5031c2eafcbac4b2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B6113A31D0134C9FDB21DA3CD9453ED7B659B493B8F14427CD911631D0FA31584ACBA0
                                                                                                                                                                                                                                                                            Function 06DE1080 Relevance: 1.5, Strings: 1, Instructions: 212COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq
                                                                                                                                                                                                                                                                            • API String ID: 0-301743287
                                                                                                                                                                                                                                                                            • Opcode ID: b7df04177ffe41ce91fd9d6672bc2428bd7240fb239504240215e84ff167caed
                                                                                                                                                                                                                                                                            • Instruction ID: ad36feb6754b2f9572641cb03fc2363644d87d88bbfe1601bcdaeba364d2b5cb
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b7df04177ffe41ce91fd9d6672bc2428bd7240fb239504240215e84ff167caed
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D171B335B002149FEB54ABB5CC546AEBAE7EFC8310F158429E506AB3A4DE74EC42C791
                                                                                                                                                                                                                                                                            Function 06DE6BF1 Relevance: 1.5, Strings: 1, Instructions: 209COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: |7s
                                                                                                                                                                                                                                                                            • API String ID: 0-106565823
                                                                                                                                                                                                                                                                            • Opcode ID: ef2cce7daa55f997496a0ddea0824565247587b91667439ab26517229f362e09
                                                                                                                                                                                                                                                                            • Instruction ID: bc4319457a1b1b3266be3809b0863da8736cc3b68d351250f7fe165183be6ff7
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ef2cce7daa55f997496a0ddea0824565247587b91667439ab26517229f362e09
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7471B234B002458FCB45DF69C954AAEBBF2FF84310B2585A9E405DB3A6EB30ED05CB91
                                                                                                                                                                                                                                                                            Function 06DE6048 Relevance: 1.4, Strings: 1, Instructions: 193COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq
                                                                                                                                                                                                                                                                            • API String ID: 0-301743287
                                                                                                                                                                                                                                                                            • Opcode ID: 60e7a0cddfbca4517d706c9bd7a6c8d5fe9091886bb7c4b8372b01a6f969913c
                                                                                                                                                                                                                                                                            • Instruction ID: 6cf06584be3600ff3813a0504a83cb73c1a54b64839968048d49679e9cde5736
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 60e7a0cddfbca4517d706c9bd7a6c8d5fe9091886bb7c4b8372b01a6f969913c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1B714C70A103189FDB45EBE5D8606DFBFB2EF88300F10442AE556AB3A4DE356D45CBA1
                                                                                                                                                                                                                                                                            Function 06DE68E0 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq
                                                                                                                                                                                                                                                                            • API String ID: 0-301743287
                                                                                                                                                                                                                                                                            • Opcode ID: 6e2cb4b79fb559ab65cae0ecc9d3583a888d4eeaff52bf95b623d6383b3044a0
                                                                                                                                                                                                                                                                            • Instruction ID: ec855d259bdb14aac2f2d4e3a898d381190158ff9fbf44aebea4ec377eb37353
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6e2cb4b79fb559ab65cae0ecc9d3583a888d4eeaff52bf95b623d6383b3044a0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C7613C7AB002059FCB51DF69D880D9ABBF6FF8931071484AAE509DB361DB31ED15CB90
                                                                                                                                                                                                                                                                            Function 06DEE7D8 Relevance: 1.4, Strings: 1, Instructions: 181COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: L<s
                                                                                                                                                                                                                                                                            • API String ID: 0-1978672643
                                                                                                                                                                                                                                                                            • Opcode ID: 34bb4d6a8cc372f821144c7492ea537985af49d388ed0e25ffcfcf879a2f897d
                                                                                                                                                                                                                                                                            • Instruction ID: 6402e61943516229c3e5508cd4cb44a4474a274c2d5858d17e0b28081e0b791b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 34bb4d6a8cc372f821144c7492ea537985af49d388ed0e25ffcfcf879a2f897d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BB618130B002059FDB54EF65D994A6EB7F6FF88604B20842DE446D7394EF74AC06CBA1
                                                                                                                                                                                                                                                                            Function 06DE0E8C Relevance: 1.4, Strings: 1, Instructions: 154COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq
                                                                                                                                                                                                                                                                            • API String ID: 0-301743287
                                                                                                                                                                                                                                                                            • Opcode ID: 16dbf19db9ac6d56afbdc156d9c988f6954270414f19b1f8c0b77137e0ae75be
                                                                                                                                                                                                                                                                            • Instruction ID: 36cc4ff5a5f2b132a2c79ecbd01750b9d37522ed40fd39538c477e5fa3e682db
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 16dbf19db9ac6d56afbdc156d9c988f6954270414f19b1f8c0b77137e0ae75be
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7F41E931B401156BE798BB699CA0B7E7BAADFC8310F10803DD916E7380CD35AD4683E1
                                                                                                                                                                                                                                                                            Function 06DE0C1C Relevance: 1.4, Strings: 1, Instructions: 151COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq
                                                                                                                                                                                                                                                                            • API String ID: 0-301743287
                                                                                                                                                                                                                                                                            • Opcode ID: 7c9cfa26ff7ad97e977a0a688da47d5481454aac5b073408e53edf9aa6595d01
                                                                                                                                                                                                                                                                            • Instruction ID: 45da5d450631b1239809daf4cfd368cab7dc28ce57267890ddd221bf95b15e41
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7c9cfa26ff7ad97e977a0a688da47d5481454aac5b073408e53edf9aa6595d01
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C751C634B04254AFE744AB68D8647AE7FF6EFC9310F15846AD409E7381CE74AC06C7A1
                                                                                                                                                                                                                                                                            Function 06DEC4D8 Relevance: 1.4, Strings: 1, Instructions: 145COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq
                                                                                                                                                                                                                                                                            • API String ID: 0-301743287
                                                                                                                                                                                                                                                                            • Opcode ID: 66f4d6fa14be86ba94f5da0f37ab540681983c89aafe396e5e275fdf77eb75a6
                                                                                                                                                                                                                                                                            • Instruction ID: 67be9b0162e6caa39833c6f471ef69c6cf55fb0575580df47a9980076e9b3b53
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 66f4d6fa14be86ba94f5da0f37ab540681983c89aafe396e5e275fdf77eb75a6
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1E51F3347147418FC365DB39D494A6ABBF2EFC5300B18CAADD45A8B765DA30EC06C790
                                                                                                                                                                                                                                                                            Function 06DEE428 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (Adq
                                                                                                                                                                                                                                                                            • API String ID: 0-319377459
                                                                                                                                                                                                                                                                            • Opcode ID: 20889f247df359d57d3780a94450790767e82694db699414647df512e0030bbd
                                                                                                                                                                                                                                                                            • Instruction ID: 237d803c3ac5276137b93b68f16072d3762dfad3d61a9bf0193427c7b2f2af5f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 20889f247df359d57d3780a94450790767e82694db699414647df512e0030bbd
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6B417C30B10215DFDB55EF65D854AAEBBB2BF88244F104529E816EB394EF349C06CF91
                                                                                                                                                                                                                                                                            Function 06DEE438 Relevance: 1.4, Strings: 1, Instructions: 125COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (Adq
                                                                                                                                                                                                                                                                            • API String ID: 0-319377459
                                                                                                                                                                                                                                                                            • Opcode ID: 067bfa630ad819e8e26f6fdec1cb8bd8d441094e567d09f2af801154b7cf2299
                                                                                                                                                                                                                                                                            • Instruction ID: 70b2b05e73fb016972fd9ade2346aa742c1c77b756ac18c426425b36d8d6f4c5
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 067bfa630ad819e8e26f6fdec1cb8bd8d441094e567d09f2af801154b7cf2299
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CB415D30B10215DFDB55EF65D854AAEBBB2BF88244F104429E816EB394EF349C06CF91
                                                                                                                                                                                                                                                                            Function 06DE85B0 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq
                                                                                                                                                                                                                                                                            • API String ID: 0-301743287
                                                                                                                                                                                                                                                                            • Opcode ID: 0101252169aff489428bb33afe732aacfa0e7f27685c3a860a4e65004223b8f4
                                                                                                                                                                                                                                                                            • Instruction ID: 95f20ce5a81bf4ab33852dbc45c0c70335d2f1f9eedd2c76bd0cf31403da2503
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0101252169aff489428bb33afe732aacfa0e7f27685c3a860a4e65004223b8f4
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EC418A74B006058FDB64EF19C48096ABBF2FF89314B1589A9D85AAB351DB30E841DB90
                                                                                                                                                                                                                                                                            Function 06DEE7C7 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: L<s
                                                                                                                                                                                                                                                                            • API String ID: 0-1978672643
                                                                                                                                                                                                                                                                            • Opcode ID: cb65b817ad6a36033f030303b1193cb0498717e392bd590afae709b2bd8d3dee
                                                                                                                                                                                                                                                                            • Instruction ID: e7ead7ff03b264d938ada506ede9bdfd7e57e0875db17b65a50236dcb2996287
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cb65b817ad6a36033f030303b1193cb0498717e392bd590afae709b2bd8d3dee
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5B419131B402059FDB44AF79D954AAEB7F6EFC8610B20842DE456E7394EF70AC058BA1
                                                                                                                                                                                                                                                                            Function 06DE4EB0 Relevance: 1.4, Strings: 1, Instructions: 101COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: 4'_q
                                                                                                                                                                                                                                                                            • API String ID: 0-2033115326
                                                                                                                                                                                                                                                                            • Opcode ID: a06af9b8f9df39c0e2f379783148e8476d7bd55a3f17b3c08b9c47c2d3f3ba78
                                                                                                                                                                                                                                                                            • Instruction ID: f56c2e8be6b8dc36c38e009be876b9a4ab51e6ec79158f5e1fcb3c1e3e0a0e9a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a06af9b8f9df39c0e2f379783148e8476d7bd55a3f17b3c08b9c47c2d3f3ba78
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 07317031B002459FCB15EF68D880A9F7BE5FF85704B1085A9E4458F356EB30E94ACBE1
                                                                                                                                                                                                                                                                            Function 06DE3719 Relevance: 1.3, Strings: 1, Instructions: 93COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: LR_q
                                                                                                                                                                                                                                                                            • API String ID: 0-2241839734
                                                                                                                                                                                                                                                                            • Opcode ID: c41881ba8ab65191c79236d17c1ec8eae067eebcc27c695435d986b4160b17c4
                                                                                                                                                                                                                                                                            • Instruction ID: 77aa96e786ceadc1437abf282b2c63feb997aee6a12ffa846c67138eb27d9b20
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c41881ba8ab65191c79236d17c1ec8eae067eebcc27c695435d986b4160b17c4
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A721D1B1F142519FEB88BB68DC8577F7BAAEF85614F12402AE406C7294EA34DD018790
                                                                                                                                                                                                                                                                            Function 06DE45C8 Relevance: 1.3, Strings: 1, Instructions: 84COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq
                                                                                                                                                                                                                                                                            • API String ID: 0-301743287
                                                                                                                                                                                                                                                                            • Opcode ID: 3a399d2835ff18d9d512642f509a4e0d378dd42e943678461245cd2dafa334e9
                                                                                                                                                                                                                                                                            • Instruction ID: c0194466425d8070864c6f4dea69c1296061db03e5b0dd35d90c3b2b636a34a3
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3a399d2835ff18d9d512642f509a4e0d378dd42e943678461245cd2dafa334e9
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AC21F1343042009FD745AB2DE8409AA7BE7EFCD21076444AEF54ACB395DF21EC0687A4
                                                                                                                                                                                                                                                                            Function 06DEAAA7 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: k
                                                                                                                                                                                                                                                                            • API String ID: 0-140662621
                                                                                                                                                                                                                                                                            • Opcode ID: 1f47f6e9f2ca28f35f1fded17ffb868709f2bdc29a323609d5dc8d19e39ea74d
                                                                                                                                                                                                                                                                            • Instruction ID: ab5cba354c4c15b87979d2098d03ff6820cd5dc19f36fdbc8423ac4fb8728b68
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1f47f6e9f2ca28f35f1fded17ffb868709f2bdc29a323609d5dc8d19e39ea74d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 24218074E0434A9FDB41EFA8D4909ADBFF1EF49300F50009AC441AB351DB30AE84CB92
                                                                                                                                                                                                                                                                            Function 06DE5F38 Relevance: 1.3, Strings: 1, Instructions: 72COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: LR_q
                                                                                                                                                                                                                                                                            • API String ID: 0-2241839734
                                                                                                                                                                                                                                                                            • Opcode ID: 1e64495a668df809c3d1025996151f2dcb47247b94f00287480b52801c05ed38
                                                                                                                                                                                                                                                                            • Instruction ID: 3ee8cad0e2ff0713822a99437e3d023b1af085fd34cb02740c6c6eb60bf89f78
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1e64495a668df809c3d1025996151f2dcb47247b94f00287480b52801c05ed38
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9E21D134B10114AFDB589F69D855AAE7BF6EF8C654F20805DE802E73A0DF719D01CB90
                                                                                                                                                                                                                                                                            Function 06DEAF10 Relevance: 1.3, Strings: 1, Instructions: 70COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: \;_q
                                                                                                                                                                                                                                                                            • API String ID: 0-2457888070
                                                                                                                                                                                                                                                                            • Opcode ID: 62653bbcb218d3dc9e3910e483c505978146cb20e634b28d69b6f6a850700856
                                                                                                                                                                                                                                                                            • Instruction ID: 5d0b4522f6850a1aec447b3ffa98fa477ae3a060e857ef30cba243309ad2aca9
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 62653bbcb218d3dc9e3910e483c505978146cb20e634b28d69b6f6a850700856
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B71173727043064F9B689BAEA89495BF7DEEFC8265318807BF50EC7759DE61EC014350
                                                                                                                                                                                                                                                                            Function 06DE5F48 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: LR_q
                                                                                                                                                                                                                                                                            • API String ID: 0-2241839734
                                                                                                                                                                                                                                                                            • Opcode ID: a7fd184718f6b56d1a806419ec022fbf72fcacea036928f07b7eebf92abe088d
                                                                                                                                                                                                                                                                            • Instruction ID: c25b3b9e05eafdcea339980bc16d2f80fce8427f7c5e83c5f739d7edb0171428
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a7fd184718f6b56d1a806419ec022fbf72fcacea036928f07b7eebf92abe088d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3E21AE34B101149FDB489F69C455AAEBBF6EF8C654F108019E902A7390DFB1AC01CBE4
                                                                                                                                                                                                                                                                            Function 06DE5F46 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: LR_q
                                                                                                                                                                                                                                                                            • API String ID: 0-2241839734
                                                                                                                                                                                                                                                                            • Opcode ID: e8641ee6bc3745c537e2df0f98029ab6476ddc817e2c66ed71815b2bbd5148db
                                                                                                                                                                                                                                                                            • Instruction ID: 1f011d87f5072dce07c3f12a6dda349ff33d43d304589d1ab592000c02bf8585
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e8641ee6bc3745c537e2df0f98029ab6476ddc817e2c66ed71815b2bbd5148db
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7E21C034B101149FDB489F69D455AAE7BF6EF8C654F108019E802A7390DFB1AC01CB90
                                                                                                                                                                                                                                                                            Function 06DE3370 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: fdq
                                                                                                                                                                                                                                                                            • API String ID: 0-3955173561
                                                                                                                                                                                                                                                                            • Opcode ID: c26880d3adb0c325099f78964e1377ecdc58c5f127d7ca56236654e7cee2f5da
                                                                                                                                                                                                                                                                            • Instruction ID: 49678ced1da6ffeefac988b31eb48a91c3876cc476259a035412db537cc2ba94
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c26880d3adb0c325099f78964e1377ecdc58c5f127d7ca56236654e7cee2f5da
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E7118679B01115AFDB54AFA59855ABF7FB6FBC8600B10802AF905D7340DF348D0287D1
                                                                                                                                                                                                                                                                            Function 06DE3380 Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: fdq
                                                                                                                                                                                                                                                                            • API String ID: 0-3955173561
                                                                                                                                                                                                                                                                            • Opcode ID: 9c3d2e0eed1e3fb98186acad219f7b42c142e078b85b9ad782a45ac891c4b00c
                                                                                                                                                                                                                                                                            • Instruction ID: ea0ee4620c8fbca592377d5d89febe623bd925fb0c15dc983499c4521a7246c6
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9c3d2e0eed1e3fb98186acad219f7b42c142e078b85b9ad782a45ac891c4b00c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 41118275B001155FDB04AFA59845ABF7EAAFB88640B008029F909D7340DF349D028BD1
                                                                                                                                                                                                                                                                            Function 06DE57B8 Relevance: 1.3, Strings: 1, Instructions: 47COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq
                                                                                                                                                                                                                                                                            • API String ID: 0-301743287
                                                                                                                                                                                                                                                                            • Opcode ID: 5c2fa68fb104329d67798a217413a8ffc3951268490e67e8136747503bd287d4
                                                                                                                                                                                                                                                                            • Instruction ID: 14f8f9be097bcb8a181c58d271df7383c2c4e4459cac473b6d7c58b0b77840b2
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5c2fa68fb104329d67798a217413a8ffc3951268490e67e8136747503bd287d4
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2001DF243083414FE715AB3DD85096E3BD7AFCA25431885BED44ACB795EF26EC46C3A1
                                                                                                                                                                                                                                                                            Function 06DEE3EB Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: C8
                                                                                                                                                                                                                                                                            • API String ID: 0-816706217
                                                                                                                                                                                                                                                                            • Opcode ID: bfa5c2e0c3b2983c886a2008ea2aba76022721c42ecf3389639264509b90f646
                                                                                                                                                                                                                                                                            • Instruction ID: bf89abd45f99b71b26a7da9740773ca0cac46c555a08d66de4b8fd73f5e767ad
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bfa5c2e0c3b2983c886a2008ea2aba76022721c42ecf3389639264509b90f646
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F001F432B203118FDB01AB9898513BE7763EFC4314F51851AEA466B344EF717C068BE0
                                                                                                                                                                                                                                                                            Function 06DEE36A Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: C8
                                                                                                                                                                                                                                                                            • API String ID: 0-816706217
                                                                                                                                                                                                                                                                            • Opcode ID: d4f6e6b95d08b182180ebf0bbc87f70d4024e5fa7178904acd59aadea8091580
                                                                                                                                                                                                                                                                            • Instruction ID: 3116fbc37e6388df8193b2a10214ef8d149e7f9ee2524b4aec36113cc5a7f7c0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d4f6e6b95d08b182180ebf0bbc87f70d4024e5fa7178904acd59aadea8091580
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 52F0FF32B202108BCB01A69888113AD7363EBC4650F55842AEA46AB344EF70AC068BE0
                                                                                                                                                                                                                                                                            Function 06DEEA75 Relevance: 1.3, Strings: 1, Instructions: 38COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: T;s
                                                                                                                                                                                                                                                                            • API String ID: 0-676690661
                                                                                                                                                                                                                                                                            • Opcode ID: 2c3381726c1efb43ec7a2cfa6b730811db75632acf80b1abfedf5523b125c2ba
                                                                                                                                                                                                                                                                            • Instruction ID: 6c5901f19576ba7f52bbdb266a67113e8547ba14467edf3d43896fae55ffb9e3
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2c3381726c1efb43ec7a2cfa6b730811db75632acf80b1abfedf5523b125c2ba
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BEF0E9313452001F8605266E58549AEBBABABC955436400BAE409C7351DD21DC0647A6
                                                                                                                                                                                                                                                                            Function 06DE99A8 Relevance: .3, Instructions: 301COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 04d3e13aba35d3ec965c89d1b49277d1dd5af93d56182d28a070d6aa6b547d94
                                                                                                                                                                                                                                                                            • Instruction ID: 9c24518e5555452f1d754128e002a8172cfff1e02cbda00d5634d8781d94ca12
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 04d3e13aba35d3ec965c89d1b49277d1dd5af93d56182d28a070d6aa6b547d94
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 64D12534E003598FCB55DFA8C898A9DBBF2BF89304F148195E808AF265DB70ED45CB90
                                                                                                                                                                                                                                                                            Function 06DEBE40 Relevance: .3, Instructions: 273COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 5a4ca52d9572c4728f921bb49d2d31c16be31af7258b1655f883f8ad3697f68a
                                                                                                                                                                                                                                                                            • Instruction ID: 6fd47c70dd563fcdce3f6c66e943d9c392b5b27e3784f2f11f389b3103afb457
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5a4ca52d9572c4728f921bb49d2d31c16be31af7258b1655f883f8ad3697f68a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2BB17B34B007018FDB55EF39D584A6EBBF2FF88204B048569E9568B365EB30EC46CB91
                                                                                                                                                                                                                                                                            Function 06DEBE33 Relevance: .2, Instructions: 193COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 30dc6bc9050ba2b8ca8a0d69e1fdeca233d7149a71849f6208ba4bb507bbe966
                                                                                                                                                                                                                                                                            • Instruction ID: 825655fb3377a55a0cf05f25696c9b62d43d2acb567cfc165a0f819e77688044
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 30dc6bc9050ba2b8ca8a0d69e1fdeca233d7149a71849f6208ba4bb507bbe966
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B7716E34B007018FCB45DF79D5949AEBBF2FF89204B048669E9568B355EB30EC46CB91
                                                                                                                                                                                                                                                                            Function 06DEABA0 Relevance: .2, Instructions: 186COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 9b3a58efa91675d9b5fcb432b24215d5b3752d1b6722ee832d31451e59592173
                                                                                                                                                                                                                                                                            • Instruction ID: 60ebe5b5274823f16e2ee21d27da020ca2716226ab1ea6656fe643d4bb250065
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9b3a58efa91675d9b5fcb432b24215d5b3752d1b6722ee832d31451e59592173
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 06512B387505028FD798AF2AD594A2A77F7BFC965132981A9E40ACB375EF70DC01CB40
                                                                                                                                                                                                                                                                            Function 06DE60D9 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 983abd240e37f01fbbaf4bf66ae61f92c414df644ea86c1d4ffcedf7635f6c85
                                                                                                                                                                                                                                                                            • Instruction ID: 751f0ed1f0b80e2ed9e464b63752961c0b00641c8c9210b2fb6b87fb315f1e1e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 983abd240e37f01fbbaf4bf66ae61f92c414df644ea86c1d4ffcedf7635f6c85
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2C51E674A102089FDB45EBE5D861ADFBFB2EF88300F104029E5166B3A4DE356D859BA1
                                                                                                                                                                                                                                                                            Function 06DE5483 Relevance: .1, Instructions: 147COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 719979456706fff65079baf85d23a21062aee634cae14a4d968820c1f490017d
                                                                                                                                                                                                                                                                            • Instruction ID: b5181d1a71adff117676d986f5f94015d468e9716a1c81ade36a4a002e505da6
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 719979456706fff65079baf85d23a21062aee634cae14a4d968820c1f490017d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F1513874A00309EFDB04EBA5D895AAEBB72FF88340F50442DF912673A8DE312D45CB65
                                                                                                                                                                                                                                                                            Function 06DE34A8 Relevance: .1, Instructions: 142COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 9ff2e79795f14639a6e3bcf4bb70eb56be35abba7abf86f639185956f17d5d8c
                                                                                                                                                                                                                                                                            • Instruction ID: 97f05fa152b8efe7fa1cc269c9efba3ac20529537f180dfef26c7dae103299b3
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9ff2e79795f14639a6e3bcf4bb70eb56be35abba7abf86f639185956f17d5d8c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E2516E347512066FCB45EB28E95166EBBA3EFC43447008629E5068B358EF71BD4B87D1
                                                                                                                                                                                                                                                                            Function 06DE34B8 Relevance: .1, Instructions: 137COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 86ab4675f49fff5f063b33e91e4c728944a572bf42d56c7576148fdccf8a4161
                                                                                                                                                                                                                                                                            • Instruction ID: 0cdfbc2cce053d0152ad58eeab8ed83994dd0c1454040dd07138fac783771e25
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 86ab4675f49fff5f063b33e91e4c728944a572bf42d56c7576148fdccf8a4161
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3B516D347512066FCB45EB28E69166EBBA7EFC43447008638E40A9B358EF70BD4B87D1
                                                                                                                                                                                                                                                                            Function 06DE5490 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 62b4bbe60f28e91e66c8feafc4a94db103b9aea5370234ca6518f8890cfea609
                                                                                                                                                                                                                                                                            • Instruction ID: 57d6030945afb78c0145adffec09b90fe74d1590f3fd0d0de0e0890595f0265e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 62b4bbe60f28e91e66c8feafc4a94db103b9aea5370234ca6518f8890cfea609
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 03511774B00309EBDB04EBA5D9956AEBB72FF88340F50442CE516673A8DE312D85CB65
                                                                                                                                                                                                                                                                            Function 06DEB4F7 Relevance: .1, Instructions: 135COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 73147c18c7fbfa4ba771b6954885afe49314c609b6da9f67ac6837118f9e617c
                                                                                                                                                                                                                                                                            • Instruction ID: 7b6b4c768282116da7ba4338ba1f98bed008444701cf84435ba28e086df207c2
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 73147c18c7fbfa4ba771b6954885afe49314c609b6da9f67ac6837118f9e617c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8241C47590A3D19FD7039B349D645AA3F71EF43304B0A00E7D480CF2A7EA24994AC7E6
                                                                                                                                                                                                                                                                            Function 06DE1F08 Relevance: .1, Instructions: 118COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 8c7a2304c36ce7d1043ef608ccd865fe25f792952f6479c671097276b12565ca
                                                                                                                                                                                                                                                                            • Instruction ID: 3d64a944a737dd63207900c276dfc3a2bb8915ec4153c5d98ea5f036a904e0e3
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8c7a2304c36ce7d1043ef608ccd865fe25f792952f6479c671097276b12565ca
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 813147377082156FC755BBB1AC6262A7F69CB816607064036D90CCF292DA38AD03C3F2
                                                                                                                                                                                                                                                                            Function 06DEE1E0 Relevance: .1, Instructions: 110COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ed3e17aeec34319edc5d3ede6d9c65e39f913fd952abcd0106a92ebf359f8ecc
                                                                                                                                                                                                                                                                            • Instruction ID: ae4035fb97b1c2fc35df4e5924318ee9bcb8b9c7a320621b872aa040acd24c45
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ed3e17aeec34319edc5d3ede6d9c65e39f913fd952abcd0106a92ebf359f8ecc
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EC418D30E002499FCB14DFA9D98099EBBF2FF89300F148169E805AB364DB30ED46CB90
                                                                                                                                                                                                                                                                            Function 06DE2268 Relevance: .1, Instructions: 106COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 733add9f07d3c085ea186aaf2fcd92eeed5bba16838e1a361bba8970a8e3cf49
                                                                                                                                                                                                                                                                            • Instruction ID: 6f91a8e953a78220ceff909122f3543d1ca082010502d94e59012effc111a2ec
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 733add9f07d3c085ea186aaf2fcd92eeed5bba16838e1a361bba8970a8e3cf49
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6541FA35B102149FCB54EF68D88099EBBB6FF88710B148169E915EB360DB31DD42CBA0
                                                                                                                                                                                                                                                                            Function 06DEC9A8 Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: fdf32df6d5087d1607f1897a6d41ad46f2f8298fa588dd332ad9693120ef7e8d
                                                                                                                                                                                                                                                                            • Instruction ID: f1e7cc1d0c69492a14d6585d0092f3922dd1f560242e4cf3e7945d782d160cf6
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fdf32df6d5087d1607f1897a6d41ad46f2f8298fa588dd332ad9693120ef7e8d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2B31A1568AF3E01EEB43AB385D715DA3F719D5321570E01D3D0E1DE0ABE5488A5CC3AA
                                                                                                                                                                                                                                                                            Function 06DEF699 Relevance: .1, Instructions: 105COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: bfb566b6795b538997ff474efedf37ccc60650b5928e9d480d358c2ac02942f7
                                                                                                                                                                                                                                                                            • Instruction ID: 7eabc38c76e473e389f5a818ef45fb90ff94de5997eb3ebae30062f495db4c09
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bfb566b6795b538997ff474efedf37ccc60650b5928e9d480d358c2ac02942f7
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6B41BD31B002558FCB54EF79D888AAFBBF6AF88200B044469F546C7369DB30ED09CB90
                                                                                                                                                                                                                                                                            Function 06DEF6A8 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 3536b30ec32a3381087309c467a731b635ad301a419d61ee80478b2e56d11af3
                                                                                                                                                                                                                                                                            • Instruction ID: fc91d25aa50506031f105e603e11039ec068325e8187908b35e5118c25180412
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3536b30ec32a3381087309c467a731b635ad301a419d61ee80478b2e56d11af3
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B741AF30B042558FCB54EB39D888AAFBBF6AF89300B144569E586C7365DB74E909CB90
                                                                                                                                                                                                                                                                            Function 06DEF6A5 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 455856106b2af35e67fb7df818574f77b63ced0ebc6204b2eaeee87bc5c01006
                                                                                                                                                                                                                                                                            • Instruction ID: a36253e028096e6dbffecb2e975ae15caa9499976670aac21d1fc19fad39b680
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 455856106b2af35e67fb7df818574f77b63ced0ebc6204b2eaeee87bc5c01006
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1A31AD30B002559FCB54EB29D888A6FBBFAAF89200B144469E546C7365DB70E909CB90
                                                                                                                                                                                                                                                                            Function 06DEB080 Relevance: .1, Instructions: 103COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 63663ee01d0ccbd71f9e66b4e3550c285abc8afbd02ef0fba8d309d21f47ac92
                                                                                                                                                                                                                                                                            • Instruction ID: ae06b2bda74f051ab6ac5e786ed521a86b0cd6a694aa771f83362bf596fd2857
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 63663ee01d0ccbd71f9e66b4e3550c285abc8afbd02ef0fba8d309d21f47ac92
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0831A135B101058FDB50DFA9EA80AAEFBEAEF84260B14C16AE51DC7355DB30F841CB91
                                                                                                                                                                                                                                                                            Function 06DE310C Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: cfd0c36ac6fde8735ec75c759d20a20596df118e83637e81ae35732448cd27e7
                                                                                                                                                                                                                                                                            • Instruction ID: c77f17786ef6240b2bc249e19c518fb48cb228d2f2809f4d2da17505153775e3
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cfd0c36ac6fde8735ec75c759d20a20596df118e83637e81ae35732448cd27e7
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 66213732A563647FDB8137A46C103FA7F59CF82220F128067E9589B251CE298C92C3E1
                                                                                                                                                                                                                                                                            Function 06DEC558 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 1de67de29b575c1bbb72f4954409874ecd3b8d31492789ff867a471a4c2002ab
                                                                                                                                                                                                                                                                            • Instruction ID: 9b49e2f17c2b96e28e47e80748da5f1d94168c1109aef10e7210e70fc483e092
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1de67de29b575c1bbb72f4954409874ecd3b8d31492789ff867a471a4c2002ab
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5731BE34210741CFC721DF25D594927BBF2FF897007148A69E49A8B766CA30E806CB90
                                                                                                                                                                                                                                                                            Function 06DE1062 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 12dd4551501575b862cbe6dbb2fca309a4b29c6642a4d56ba03f80d3b51c321f
                                                                                                                                                                                                                                                                            • Instruction ID: 50d2ee6c6900f5fde3020f38f4be28a92d4df56807d9d49cf23529f7d2d3e311
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 12dd4551501575b862cbe6dbb2fca309a4b29c6642a4d56ba03f80d3b51c321f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E6213D72F043249BEB11EB798C546BE7BEADB98350F05803BD806D7285DA34ED06C391
                                                                                                                                                                                                                                                                            Function 06DE28F8 Relevance: .1, Instructions: 80COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 81e48171b92fa102a5d5156adae0fa0e2dba0d4be132fa23b95603762e0347da
                                                                                                                                                                                                                                                                            • Instruction ID: 3bbdd0d065888eb79a90e0df0a89cd86e62a409ade8ae90f70b5604e9cb792ac
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 81e48171b92fa102a5d5156adae0fa0e2dba0d4be132fa23b95603762e0347da
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0321492585E3D15FD703DB38ADA16997FB0DF43204B1A40D7D084DF0A7EA29990EC7AA
                                                                                                                                                                                                                                                                            Function 06DE3A29 Relevance: .1, Instructions: 76COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: c70c730c6aa18015f9651e3c5b99f16507d0a1a9cda3dedf503979e290314f1b
                                                                                                                                                                                                                                                                            • Instruction ID: ec209f05cedcefc5159d8facee4e8336af342339fb8d1c612ad351cba95f22e8
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c70c730c6aa18015f9651e3c5b99f16507d0a1a9cda3dedf503979e290314f1b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F5216035B44115AFDF44EF64D891AAD7FA2EF88310F118029D419A7790CA75AD87CBA0
                                                                                                                                                                                                                                                                            Function 046BD790 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000002.1505248659.00000000046BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 046BD000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_2_46bd000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 88a1fb057ce17f7a96199bdbbf2ff6dbeea71b25e45d2af2620d06804c20c388
                                                                                                                                                                                                                                                                            • Instruction ID: d00ff3dd812395f1b195be1056b63af28aac3d75b0e969fde6e638534b5ac901
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 88a1fb057ce17f7a96199bdbbf2ff6dbeea71b25e45d2af2620d06804c20c388
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 39210371604200DFCB15DF14D9C0BA6BF65EB98320F24C169E8890F25AE336E896CBE1
                                                                                                                                                                                                                                                                            Function 06DEB598 Relevance: .1, Instructions: 75COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: c495244053333d9d1016d2a334707d34b58dccbf6f596ebc73e22d5b6c6ff303
                                                                                                                                                                                                                                                                            • Instruction ID: 6717dc85a65e88096ccbeb8385f20c10f708bfebbfb59e0edb0b0b346c9694d8
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c495244053333d9d1016d2a334707d34b58dccbf6f596ebc73e22d5b6c6ff303
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0421C234B01209DFEB54EB75D9446AE7BA6FB84705F10847AE9158B354EF30E846CBD0
                                                                                                                                                                                                                                                                            Function 06DEB930 Relevance: .1, Instructions: 72COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 176451613bfadea4ae24dde3ceb2516034b8f82dc7f8dc163494d0ffc360a84f
                                                                                                                                                                                                                                                                            • Instruction ID: ec377863229eded806b15f5ec6809ab275a0f768c828e06bb98ade96dd5a9281
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 176451613bfadea4ae24dde3ceb2516034b8f82dc7f8dc163494d0ffc360a84f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 20116D757143004F9B98EA6DD9D0A2BB7EAEFD8260714C03BA94ACB354EE71FC018794
                                                                                                                                                                                                                                                                            Function 06DE4553 Relevance: .1, Instructions: 70COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 1eceb2cb8b40056af48273554e149891037b390741528f337db4886a70d8d319
                                                                                                                                                                                                                                                                            • Instruction ID: 885bd7a63d792f1f95f9d06612df59208d12b4ab06f0566c65202f539ca9c5ab
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1eceb2cb8b40056af48273554e149891037b390741528f337db4886a70d8d319
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D011EF303046024FC661AB7DA94096E7BE6EFC5250304456EF24ACB329DF20EE4687A4
                                                                                                                                                                                                                                                                            Function 06DE2258 Relevance: .1, Instructions: 63COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 0938271c078249ba8425b4e91efc1bf426905ecd9076444059dd7d1953ef9612
                                                                                                                                                                                                                                                                            • Instruction ID: 9596f8e9e3d65ef6ce47d2c1f19d92054dc78da7adf037141610b1e231467ad0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0938271c078249ba8425b4e91efc1bf426905ecd9076444059dd7d1953ef9612
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 71211A75E112149FCB44EF69D88199EBBB5EF8C710B10812AE819EB320DB319942CBA1
                                                                                                                                                                                                                                                                            Function 06DEA242 Relevance: .1, Instructions: 60COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 7c000a729d20e5f1eb4428be12ae1bfb3893fc2f843d19f266484c852aa68b58
                                                                                                                                                                                                                                                                            • Instruction ID: cf30c1379f4e9113ae11227bfc566bb77a805b6c31be5225b0aa187d250d578e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7c000a729d20e5f1eb4428be12ae1bfb3893fc2f843d19f266484c852aa68b58
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: AE11AC30B442059FDB54DF55C985BAEBBF1EF88720F284059E946BB281CB719D02CB90
                                                                                                                                                                                                                                                                            Function 06DE3A38 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: dd410f2d0529b716aba3fe68dd459e25ad533a5f7e91c9d8b0fb7fe365a65808
                                                                                                                                                                                                                                                                            • Instruction ID: a18d9ab9e0a55b7af07869045807278609d195bc9cadbce41b0dd1d53e56e1b3
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: dd410f2d0529b716aba3fe68dd459e25ad533a5f7e91c9d8b0fb7fe365a65808
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7F115E31B44115AFDB44EF64C850AAE7BB2EF8C320F118025D419E7390CE79AD86CBA0
                                                                                                                                                                                                                                                                            Function 06DE1958 Relevance: .1, Instructions: 58COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 13400006f1716e443db90cf1c5c21fcda8043a882355347bf4170ba6f5ada177
                                                                                                                                                                                                                                                                            • Instruction ID: 521afea5ffaf49e26b08ae547a71cf0c3e2a948eeaa8bcf940ab2ed84f7f469b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 13400006f1716e443db90cf1c5c21fcda8043a882355347bf4170ba6f5ada177
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0A113D35604124AFDB04EF64D859AA9BFB6EF8C321F158029E809E7340CF79AD46CB91
                                                                                                                                                                                                                                                                            Function 046BD78B Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000002.1505248659.00000000046BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 046BD000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_2_46bd000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 739964059d31b747d3d8eb67c032c7abb424f586a59bdf99513cfd92067b6670
                                                                                                                                                                                                                                                                            • Instruction ID: b2da69e368f9fa62119520a310eb06dbc4020e9a46feaa5ea3bad5a583a0a288
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 739964059d31b747d3d8eb67c032c7abb424f586a59bdf99513cfd92067b6670
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E711B176904240CFCB16CF14D5C4B5ABF61FB94324F24C6A9D8890F256D336E45ACBA1
                                                                                                                                                                                                                                                                            Function 06DEAAE0 Relevance: .1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 333f1438603b82b7b076624f63d5413f7d4943e69db83fd36b8343a9606e81e5
                                                                                                                                                                                                                                                                            • Instruction ID: 7de452d41dfe7ae940b03b65c0192494171c207225d2baade18e00e97acb94bf
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 333f1438603b82b7b076624f63d5413f7d4943e69db83fd36b8343a9606e81e5
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C121D674E0020ADFDB44EFA8D4809AEBBF2EF88310F504599D445A7354DB30AE80CB91
                                                                                                                                                                                                                                                                            Function 06DE1378 Relevance: .1, Instructions: 55COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: d2cb1d8375f411ae5d73eaa556d906692923238fe7f723bb5d4d239f165f623a
                                                                                                                                                                                                                                                                            • Instruction ID: 6f1d098e14e3bbcade0a3c0debcb24845abe0cfa5fbf15a32ff544c78ee2f67a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d2cb1d8375f411ae5d73eaa556d906692923238fe7f723bb5d4d239f165f623a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FE2124B0D042099FCB60DFAAC985ADEFBF4FF48324F14842AD419A7240C7756906CFA1
                                                                                                                                                                                                                                                                            Function 06DE1380 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 43fb2dc8c101197b5d1741ac6cdaee846311ab74f258255c4e944f5a2fcd3316
                                                                                                                                                                                                                                                                            • Instruction ID: ae8719fd7dc54953ec54a9bb6b834fec40584989beb5f2b5a1bcb74eb234d5a2
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 43fb2dc8c101197b5d1741ac6cdaee846311ab74f258255c4e944f5a2fcd3316
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0A1114B0D042099FDB64DFAAC981AEEFBF4FF48324F50842AD419A7240C7756905CFA1
                                                                                                                                                                                                                                                                            Function 06DE1968 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 4f096f0e404ff3ab6b61f6fed9400c94aaf50ef6044ab26910bbf2c96a2e0706
                                                                                                                                                                                                                                                                            • Instruction ID: c7d81bacc7b675af8acccb9102fd7100c5e79ce93f7b8b34343f3c6f119da375
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4f096f0e404ff3ab6b61f6fed9400c94aaf50ef6044ab26910bbf2c96a2e0706
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9911FB35604125AFDB04EF64D854AA97FB6FF8C321F154029E40AE7390CB79AD86CB90
                                                                                                                                                                                                                                                                            Function 06DE576F Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: e5b6dc53191c7d274d522ae36379022d414bcd54671507c46d0e769be2005ca7
                                                                                                                                                                                                                                                                            • Instruction ID: 883fe03e6b15087e2c79a68043421bc4b6f3c10c0fe58819e94d19d1ae683910
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e5b6dc53191c7d274d522ae36379022d414bcd54671507c46d0e769be2005ca7
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0A014E3250A7804FD352B774AC409AB7F9DDEC5214744C59BE18E9B516C6645D0987E0
                                                                                                                                                                                                                                                                            Function 06DEB070 Relevance: .0, Instructions: 49COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ed19e3c9a50c26e748e7c2b122e0a60bb07c33bfd9a22acbee3709f4d2ba5ef7
                                                                                                                                                                                                                                                                            • Instruction ID: a415b2cc757b081398a8a976911df0e3db2138e1a6f9510ad1b2b1a1772cf0bf
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ed19e3c9a50c26e748e7c2b122e0a60bb07c33bfd9a22acbee3709f4d2ba5ef7
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 06012B34B142018FCB649B6A9A4055EFBAAEF86250714C177E518C7355DE30FC06C791
                                                                                                                                                                                                                                                                            Function 06DEB920 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f0471dcc2f0ef42c44a3e0ef000e46f72563adc3ae53717c545e39ec490661f7
                                                                                                                                                                                                                                                                            • Instruction ID: 165063408605dfd0b27d82c08b229bdf9fd7effebef0ba24822c44eebf063f6f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f0471dcc2f0ef42c44a3e0ef000e46f72563adc3ae53717c545e39ec490661f7
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A201F2717043404FD7A5D71D8C90A3BBFEADF98260714807BA849CB751DA30EC00C7A0
                                                                                                                                                                                                                                                                            Function 046BD006 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000002.1505248659.00000000046BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 046BD000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_2_46bd000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ac96be6f9fbd770e230d1908b40bfa99342fcc919bb2225f0e15ca0f37869ae7
                                                                                                                                                                                                                                                                            • Instruction ID: 5b7d617e96cbb7718b7b3eb9107afcc6b5a7506ca8e32b2132cf200ef9b1b4ad
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ac96be6f9fbd770e230d1908b40bfa99342fcc919bb2225f0e15ca0f37869ae7
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C601807100D3809FD7124F2598846A2BFA4EF53224F09858BE8888F2A7D2699C45CBB1
                                                                                                                                                                                                                                                                            Function 06DE858F Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 1b66d18f36cc1cb9f4dbc79c3a74629673c46b58bc15f8d8494d25ec58aeb549
                                                                                                                                                                                                                                                                            • Instruction ID: eb40acdea6b662c0a6b40a253715e279927c51262b288cfb10fd8d3a203d5717
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1b66d18f36cc1cb9f4dbc79c3a74629673c46b58bc15f8d8494d25ec58aeb549
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 89017B72E093404FDB51AB2CE880A7A7B62EFD5314B1484BAF4069F2A6DF21DC04DB20
                                                                                                                                                                                                                                                                            Function 046BD01D Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000002.1505248659.00000000046BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 046BD000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_2_46bd000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 0b03b5f04ec26703017ff0fba361785dd8995a09b807432b7f13966e4f170fef
                                                                                                                                                                                                                                                                            • Instruction ID: 43f07a0aae2c14723df5a5fd5b44371e6c9b2e677b4e01361f4223b9321a725b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0b03b5f04ec26703017ff0fba361785dd8995a09b807432b7f13966e4f170fef
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 68012B71104B40AAD7208F25EDC4BA7BF98DF51320F08C51AEC8C5F24AE279A882C7F1
                                                                                                                                                                                                                                                                            Function 06DE67E3 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: c417ccd5931b1b0871dee7dcfe081ac0740f0503a61564e32bdcb8917082a724
                                                                                                                                                                                                                                                                            • Instruction ID: d2a04e49d6a9679734b87a4f60e8fbcac885b283baac10e27b7ea10c8b8ffb46
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c417ccd5931b1b0871dee7dcfe081ac0740f0503a61564e32bdcb8917082a724
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 60015E70E41309AFCB45EFB9E9915AD7FB5EF85204B4041A9E405A7342EA306F498BA1
                                                                                                                                                                                                                                                                            Function 06DECB90 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: a53b48b84600596a16e9004cd1b25d6c3dc144c3aa7aecc59fd06783502df6b2
                                                                                                                                                                                                                                                                            • Instruction ID: 5d3cd5225850c919e051cebe629ffee4a2750fc3097b5a5c4d1eb6560dcf369a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a53b48b84600596a16e9004cd1b25d6c3dc144c3aa7aecc59fd06783502df6b2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 00F09036B181144FA7449B6DAC84A2FB7EAFBC5965315013AF519C7350EB71CC02C790
                                                                                                                                                                                                                                                                            Function 06DE56C3 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: e38deddf1c17117785476c0bf14d042d0ac7bd650ca8baf80d2db9bee6921721
                                                                                                                                                                                                                                                                            • Instruction ID: 6871eb2e5575d8b6672b743b382451edbf1cdc14be527b8249337ed06bde0ff7
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e38deddf1c17117785476c0bf14d042d0ac7bd650ca8baf80d2db9bee6921721
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1B0142303483416FC301977AA8485AFBFA6EFC1394340056DF04A8B249DFA1684983F2
                                                                                                                                                                                                                                                                            Function 06DECB7F Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6ffc5a176b3f4d5b4ea020380aeffd19e2651c24a69a897d87cded42724c1dc4
                                                                                                                                                                                                                                                                            • Instruction ID: d7d23c6d4390ddc853d73549c97b689203d174b53b55ad36528b9e6274a32d50
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6ffc5a176b3f4d5b4ea020380aeffd19e2651c24a69a897d87cded42724c1dc4
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 09F0F036F182044FD7949F2DAC50A6BBBA9EFC6951315016EE419CB362EA30CC06C791
                                                                                                                                                                                                                                                                            Function 06DE1829 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 74b55e98b28cad467b05cdbe4ca875636088abfc4463de5da5d031309bcacd22
                                                                                                                                                                                                                                                                            • Instruction ID: d25957a4f6743b98958a43cedd851f506667ef5157c9ef9880d00eeaee0c11c1
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 74b55e98b28cad467b05cdbe4ca875636088abfc4463de5da5d031309bcacd22
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B401A231B00604A7EB58BB6988557AF7AFA9BC8714F14403DD015F3381CEB55C01CBE2
                                                                                                                                                                                                                                                                            Function 06DE46C8 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 996b52742bfae8cd731251c8b9187f8a3be9f21f1b91003424e88e76a80f29f6
                                                                                                                                                                                                                                                                            • Instruction ID: 3590f1a5098c74bd7051f518e3f7e45b4cd6fbf983eeae012a9368f8914e63ce
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 996b52742bfae8cd731251c8b9187f8a3be9f21f1b91003424e88e76a80f29f6
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C3F03C70D4634CAFCB54EBA8E8008EEBFF99B49310F0041AAE84897311DA355A149BD5
                                                                                                                                                                                                                                                                            Function 06DE6769 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: d326c5b7ae8fe36142fd836e025b10eb86e95949b84f00097682169e50dc0eb3
                                                                                                                                                                                                                                                                            • Instruction ID: 70878bde68393c3d2c006268793bb597fe3bbdc02816c994529c5296cfa51f0e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d326c5b7ae8fe36142fd836e025b10eb86e95949b84f00097682169e50dc0eb3
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8301AD39F01605DBCB50EB68C68046DF3E6FB89325B608639D01A97748DB31EC46CBC0
                                                                                                                                                                                                                                                                            Function 06DE6038 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 9efd6ff6ee4d050147e4b3cde7695f841be8b3841f59b8eac37c30bcd8b82b5c
                                                                                                                                                                                                                                                                            • Instruction ID: bab7e398c82b3f818359a4f6877b25253824ce81bb26defd2dd8c1aa7806c65c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9efd6ff6ee4d050147e4b3cde7695f841be8b3841f59b8eac37c30bcd8b82b5c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EB0149311197E08EC7329B66D804297BFF0EF82708704485EE0C687662DAF5E808C3A2
                                                                                                                                                                                                                                                                            Function 06DE68D1 Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 8d43624e71e54af8002e4b4145b86a8d2a26285053317267f61f9703a28140d7
                                                                                                                                                                                                                                                                            • Instruction ID: b7c46cbe7a867eb25de547b47ed410fc48f568ac61a9c2a8057d6f0ded4ec71a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8d43624e71e54af8002e4b4145b86a8d2a26285053317267f61f9703a28140d7
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 63F0BB3AA04254AFD716DB59DC40D8ABFFAEF9A61031580A7F558CB262D730DD05CBA0
                                                                                                                                                                                                                                                                            Function 06DEAF00 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: a3dbf11bffc43a8752cf45818df2c5a0caa2c0e3808fd3f2b7f445d552196513
                                                                                                                                                                                                                                                                            • Instruction ID: de911895d9a28de86c6a9c95dc3b74496bde8f54e1e43614aaf5b0de46f60176
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a3dbf11bffc43a8752cf45818df2c5a0caa2c0e3808fd3f2b7f445d552196513
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 24F0E9B57093425F97A5579E5880957AFEBDFC926031DC07BF00DC7256D964CC0583A0
                                                                                                                                                                                                                                                                            Function 06DE57A8 Relevance: .0, Instructions: 39COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: a81670ed6de9e3e297bd3414f5171a711e558a45e48f4307f186403bd8202c0b
                                                                                                                                                                                                                                                                            • Instruction ID: acf76df1ef346e1b209faaa9332b7500acaf369ba5d30a1464962c75d408bb19
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a81670ed6de9e3e297bd3414f5171a711e558a45e48f4307f186403bd8202c0b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 4FF0F6347143008FEB51EB38A85096E3BA6DECA25530484AAE04ACB226EB11EC55C7D0
                                                                                                                                                                                                                                                                            Function 06DE56D0 Relevance: .0, Instructions: 38COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 5316b7c4032b84fb8f300939e18c4f76d3e2cee8a07c3f1b4ddcd678a225de8c
                                                                                                                                                                                                                                                                            • Instruction ID: c289a87117798ca1935aa0b239ffe586b32348381c5467ca36ab9aae3c671b69
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5316b7c4032b84fb8f300939e18c4f76d3e2cee8a07c3f1b4ddcd678a225de8c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 92F0F6303407056BC354A7AAD4445AEBBE6EFC0394780492CF14B8B358DFB1BC4A87E5
                                                                                                                                                                                                                                                                            Function 06DEC4C9 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 98656b2f38fc8320c2bf584aac3f9844df1c5e2fe2dda61a9c6396d82db26a75
                                                                                                                                                                                                                                                                            • Instruction ID: 1c94e6c117052418227bd930ad2d1ac5f3b9a83053e28c47ac6ee4375a45c48a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 98656b2f38fc8320c2bf584aac3f9844df1c5e2fe2dda61a9c6396d82db26a75
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F2F0E9356747415FC366772558006FE3BA58AC2290B550267D455CB969E960DC14C2D1
                                                                                                                                                                                                                                                                            Function 06DE6880 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 965cbac164aeb23ccb2af4a41be2f108a027c053865ca344bf4ad53891f48c80
                                                                                                                                                                                                                                                                            • Instruction ID: d02d057c95176e9b1b7d72cd2c344a8f4762cfb56eb4f52c8eece2ef2f973872
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 965cbac164aeb23ccb2af4a41be2f108a027c053865ca344bf4ad53891f48c80
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5EF0E23111E3C19FC7A757399860582BFB69E9B25232A85E7E048CB0A3D2688C06C7E1
                                                                                                                                                                                                                                                                            Function 06DE1440 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 31a2defbeb8f64362920ba5cb92c9fcf72d473bcb63da2b66933a7bf867c7dd0
                                                                                                                                                                                                                                                                            • Instruction ID: 9db89bf063cd027793ec01fa2c9831268876202af87409bcbfcf13277361aa94
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 31a2defbeb8f64362920ba5cb92c9fcf72d473bcb63da2b66933a7bf867c7dd0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 29F0F930B082451FC749BF78983421A7FF9EFC5214B064C7AC14DCB291F9249909C391
                                                                                                                                                                                                                                                                            Function 06DE67F0 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 07142b095364e9f9f62370399bff1b0969145e23083829adae1d483782fb8250
                                                                                                                                                                                                                                                                            • Instruction ID: 76ba2bc68a6472b2f1efbd7467336c6b8a592b50d61084db3610157cd4381bb2
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 07142b095364e9f9f62370399bff1b0969145e23083829adae1d483782fb8250
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 46016D70E40309EFCB84EFB9E5955ADBBB5EF84204B4081A8E405A7345EE307E498B90
                                                                                                                                                                                                                                                                            Function 06DE45B8 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 33b82b92bb263c5a0e599948335ea827533de422a8143430a861eac0498bd497
                                                                                                                                                                                                                                                                            • Instruction ID: 0253962ee742fc8549c5e03fdca66cefe9812068888998b0d2cda79f3eef006a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 33b82b92bb263c5a0e599948335ea827533de422a8143430a861eac0498bd497
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D3F0B4347043428FDB119B3DD950AAE3FE29FC9341318056AF14ACB365EB60ED4687A0
                                                                                                                                                                                                                                                                            Function 06DEAB90 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 396b29029741fa2623363426087ad3f4c218e856b2b0c089eb89889642475677
                                                                                                                                                                                                                                                                            • Instruction ID: 7e85bef8d18d367f4d01a7f2bfc355578265ae7deb8b4b76a46586a76d8bc5a3
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 396b29029741fa2623363426087ad3f4c218e856b2b0c089eb89889642475677
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3FF0E5317053544FD7556B3AAC8896BBFEAABCB66171801FAF549C73A2DA60CC05C3A0
                                                                                                                                                                                                                                                                            Function 06DE1431 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: fc7fcb796ecf5943530761305db162cfdb5bc83aeb26f59d2c2de26164d0f665
                                                                                                                                                                                                                                                                            • Instruction ID: 1ce80a8c9ac3a87f647d9967f0bce12d99f0dab6c5c11349bee96c80cdac36ed
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fc7fcb796ecf5943530761305db162cfdb5bc83aeb26f59d2c2de26164d0f665
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 55F06274B441052EC708BF78E56522A7FEAEBC5628B05483AD50DCA250F924990686C1
                                                                                                                                                                                                                                                                            Function 06DEC688 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 0166f1d535fe5729d6b4d0d332edee09aaba06c336b7d86d7eec0347547e7006
                                                                                                                                                                                                                                                                            • Instruction ID: 1de005556ebdd92dee0f9d9cf589038a8a20400ae33f797b1fe05a0a5b44be62
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0166f1d535fe5729d6b4d0d332edee09aaba06c336b7d86d7eec0347547e7006
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0AF0E535B202228BC744EB79D9004AAB7EAAF886A430491B9D909C7734EE71CC03C7C0
                                                                                                                                                                                                                                                                            Function 06DE38B0 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 3d91613fe8a2ee34b0b41933529a3edb5418f083263f1b9e65328340f7d41c5b
                                                                                                                                                                                                                                                                            • Instruction ID: 822cf994dc89b953b3dc74444be2a2fb7719bab0721c01b7bb915ef55524a4cc
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3d91613fe8a2ee34b0b41933529a3edb5418f083263f1b9e65328340f7d41c5b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 37F03024B293580AEFA532A55D5037B2E9A4B82754F13007BD892CB686DAC4D8458BE2
                                                                                                                                                                                                                                                                            Function 06DE36A9 Relevance: .0, Instructions: 32COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 9e4427e1d001c910495b36e42562bc6ad626efae2814e75d639720eb743dbd7d
                                                                                                                                                                                                                                                                            • Instruction ID: 1d759a758e24006482c4fdf8181adc478e26f3efbb6e9fd349a5d17cbb8a4138
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9e4427e1d001c910495b36e42562bc6ad626efae2814e75d639720eb743dbd7d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 32F030B5E11115EF8F94EFB999002FEBBF4AA48651B21446ED51ED7310E23087028FD0
                                                                                                                                                                                                                                                                            Function 06DE6AAF Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f650754c02ec400047024c1d0000597dc5e7e22dd0e9ad84ae7eca3632378df2
                                                                                                                                                                                                                                                                            • Instruction ID: 21b7e4cdd54fe2c99e23e23789e0aefb9eed97338371cfb0e100bf6ffe0456b5
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f650754c02ec400047024c1d0000597dc5e7e22dd0e9ad84ae7eca3632378df2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D2F0A071A442949FC351DF1CD880CA17FE6AFA920431581A6E848CB363D721ED16CB90
                                                                                                                                                                                                                                                                            Function 06DE3CFF Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 18c930663ce28d70dd2fd919f6da7e9ca37bd80b83b83dea2576c70cb8cb3a93
                                                                                                                                                                                                                                                                            • Instruction ID: 50d2eed83c6df8b6643593b21632b621fad8ef006777063a60c47e840b8c7377
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 18c930663ce28d70dd2fd919f6da7e9ca37bd80b83b83dea2576c70cb8cb3a93
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8AF02030909248AFCB41EF78A8125BD7BB4DA9530471141EEE809C72A2DA326B0497A2
                                                                                                                                                                                                                                                                            Function 06DE46A0 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 80ce767c263fdece4372a278ed3496d2b3546b0ec4cd750f8751c7c206bd02dd
                                                                                                                                                                                                                                                                            • Instruction ID: fff750cc4c80a58a7deeb588014bd5ed3de6e64df9c965c2d15ef52e5eddd843
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 80ce767c263fdece4372a278ed3496d2b3546b0ec4cd750f8751c7c206bd02dd
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B8E0D8707063846FC711A7A9A8054EEFFEDDF8A11170101EAF549C7262CB254D0487E5
                                                                                                                                                                                                                                                                            Function 06DEC678 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 8109817aa39ec9c962d8763355ae4aefe111d68fdf83b4ba3761aa5d649bea79
                                                                                                                                                                                                                                                                            • Instruction ID: 5110d9d8ba5a19b9c9e80edd09e5a26a16dccd5d3aed77d336498841f9e8750e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8109817aa39ec9c962d8763355ae4aefe111d68fdf83b4ba3761aa5d649bea79
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 05E0683AA203434BC7216B3448105B3BB699A8505130851EBCC1487236CA34CC03C7D1
                                                                                                                                                                                                                                                                            Function 06DE4560 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: b60229f14f1cb86a8efac8fdd5d9af45bd1fdbbdb9e66505ae08622fa11b95e5
                                                                                                                                                                                                                                                                            • Instruction ID: 86cd654beafb08947f5ae42edb8dcd59d5e54f36981a025efadde339fb14c536
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b60229f14f1cb86a8efac8fdd5d9af45bd1fdbbdb9e66505ae08622fa11b95e5
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0AE09231344A012F8265B76EA95446FBAD6EFC52A4340843DF64ECB308EF21BD8947E9
                                                                                                                                                                                                                                                                            Function 06DE3CC0 Relevance: .0, Instructions: 30COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: d6de28e11ebc657f99a0d28b79460db73da9d8e8072278e487b719cfdcf7ca3c
                                                                                                                                                                                                                                                                            • Instruction ID: 5d474f1683f8ee0d22c5e561c7d79189104b16e73da778aca23b80bd29c5ad0c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d6de28e11ebc657f99a0d28b79460db73da9d8e8072278e487b719cfdcf7ca3c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 42E068363493E00F4743236E38141F97B5ACBC685234A005BF60AC7343CA01DC0683E3
                                                                                                                                                                                                                                                                            Function 06DEC1D0 Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ab5001eae5e193ec591c9a38c32469acbfbd925ec7b40d003f142774d4f8864b
                                                                                                                                                                                                                                                                            • Instruction ID: 31fd32a6af3e9b9b6164e9d1b636bed88e37f097c8323da195a65ac968af8547
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ab5001eae5e193ec591c9a38c32469acbfbd925ec7b40d003f142774d4f8864b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F9E022342153405FCB65B769A8146AE3FA7EBC6315B00146AE986C7301DAA06C068BE6
                                                                                                                                                                                                                                                                            Function 06DE30FC Relevance: .0, Instructions: 29COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 8000881aa320af9c9139fca6b5b9907b9aee638e7b916c22171a3481599ea116
                                                                                                                                                                                                                                                                            • Instruction ID: b0bf8d9467fcc1ae8f0cfeda9cd7713225931d3b5c45751148680a31dd294096
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8000881aa320af9c9139fca6b5b9907b9aee638e7b916c22171a3481599ea116
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 06E04820B2521D16FBE432A95D4037B5ECD8B41754F03047ED892C7649DFD4E8444BE2
                                                                                                                                                                                                                                                                            Function 06DE2998 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: a02106f8cbc1947ea927cad2e77cc9d2b546861b5902a07d466b7d2a812a7563
                                                                                                                                                                                                                                                                            • Instruction ID: 70a4cea2d760ccfdce8a3b62ea98862b2b8578c69fa0f1eba7a6bbc1ca40245c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a02106f8cbc1947ea927cad2e77cc9d2b546861b5902a07d466b7d2a812a7563
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 73E0DF702592001FE302A330F9933C93F22DF95308F51806AF4459E6AADE213C4B43C9
                                                                                                                                                                                                                                                                            Function 06DECAC0 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: fd81b0dc5266a90ff54230ee57ef5a59318e2645be7b2d56f61c5a01696a107a
                                                                                                                                                                                                                                                                            • Instruction ID: ab9f099470409d809fb3679d066cd01ef5476a8746a6374d9d1a305d2fa299d6
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fd81b0dc5266a90ff54230ee57ef5a59318e2645be7b2d56f61c5a01696a107a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 23E0121A9BE3E04FCF47AF7955B049E3F634D8324571900C3D0A18E0A7E498995AC3D9
                                                                                                                                                                                                                                                                            Function 06DE36B8 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                                                            • Instruction ID: e52827c135dfe7b6ae089dc8cf7ba8faba84bd1b702dfda574a5e739ec6052f6
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0cfa8bbc40a4569aa7e3c07af7d9aef3d38a138ce3fc30ebf22d8fba1c64544d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BCE0ED70E0021ADF8B80FFBA99001BEBBF4AA48140B118569C519E7200E2319A018BD0
                                                                                                                                                                                                                                                                            Function 06DE3C89 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: d23ed07ab46e8a22648da20a114f6eb60ec470215ce5537e22ea1efa332f35f2
                                                                                                                                                                                                                                                                            • Instruction ID: 0bffd51f2d98d9039f78f31b8f26519f31ac296fab89b838f0962aed11f3f9db
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d23ed07ab46e8a22648da20a114f6eb60ec470215ce5537e22ea1efa332f35f2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 08E08C25B6E3E48ECF96A7BB64241BA3F218AD228631A04EBE18FC7606D112C4048791
                                                                                                                                                                                                                                                                            Function 06DE5753 Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 053ee17216ac258992ea052ba560e90c4b024fb04120c9edac558ed9031c4fe7
                                                                                                                                                                                                                                                                            • Instruction ID: 902947907fdcd1edab7082c1c9b28de04abab7eec8d8e435fea12d2977e87d57
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 053ee17216ac258992ea052ba560e90c4b024fb04120c9edac558ed9031c4fe7
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D3D02E3204E3484ED2122BE9BC00897BF68D9802617408AB7F18C8B42AC62408288BF0
                                                                                                                                                                                                                                                                            Function 06DE17F0 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 604d53c0e56ffaf584b056e4c7759d9b065e7df8d4333c8101fb85d6c5942e3c
                                                                                                                                                                                                                                                                            • Instruction ID: 147699df9d7f59df35f75eadbfcbda363822aadc2e8b63bfcda19fc3b6b1bbbf
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 604d53c0e56ffaf584b056e4c7759d9b065e7df8d4333c8101fb85d6c5942e3c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6DD02B366192501FC309E760F45B0557F75E7191103048067E8048B2A2DD650C57C3D0
                                                                                                                                                                                                                                                                            Function 06DEC1E0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: a7eaa1ea877bff9757bfe666bd3f5c66c7a9c555619f58e48aa8d8fabc693f04
                                                                                                                                                                                                                                                                            • Instruction ID: 41cdf0e57439a4591980e4eb4afef509049b7971b366e14fe48042b6889a1ea7
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a7eaa1ea877bff9757bfe666bd3f5c66c7a9c555619f58e48aa8d8fabc693f04
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 93E0C23130170457C6247759E44469E7BDAFFC5764B40042DE94683704DE7178458BEA
                                                                                                                                                                                                                                                                            Function 06DE6AC0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 8d2256686c90413f7f65e30c8d819b4d001b3ee28c6766cbf266b589417d4643
                                                                                                                                                                                                                                                                            • Instruction ID: c00751ca0bd2f676331eae56750a76fea23a02846cb30a528a5451a581a36c85
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8d2256686c90413f7f65e30c8d819b4d001b3ee28c6766cbf266b589417d4643
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3FE08C713002048FC310DF5CD880C91BBE9EF582103158099E848CF312CB22ED02CB90
                                                                                                                                                                                                                                                                            Function 06DE3CD0 Relevance: .0, Instructions: 20COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f9d3c710aa3631e3007417fad6a0143dcbea0a34ebad91fce822286914dc79fe
                                                                                                                                                                                                                                                                            • Instruction ID: 169f097ebb4da72b10dea163de485de9e91fb3f7c13577fb6b9bf5d0016304fe
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f9d3c710aa3631e3007417fad6a0143dcbea0a34ebad91fce822286914dc79fe
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E9D0A736300220130646229F74545BF779FCFC5DA2315002EFB0AC3340DE529C4153E5
                                                                                                                                                                                                                                                                            Function 06DE46D8 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 7c380e79a3865e06e4d5f664ddc367afb541e2854788405f0371ffd53f5f6906
                                                                                                                                                                                                                                                                            • Instruction ID: bde6ca8cf9128bbc85a479d9ae006e68f545c6035f475947f67641db8483449b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7c380e79a3865e06e4d5f664ddc367afb541e2854788405f0371ffd53f5f6906
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DBE09274E0520CAFCB54EFA9D44459DFFF5AB48300F0081AAE819A7354EA345A088F81
                                                                                                                                                                                                                                                                            Function 06DE3938 Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 7b00b9243c5ba9ff7b5eb084760b820bbb3299adc48b1291915c1286042613a7
                                                                                                                                                                                                                                                                            • Instruction ID: 5f6aca3f90f9c690ed909bee19ff5ee4e1d87c9e1ab5e94924809073e8c69ed3
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7b00b9243c5ba9ff7b5eb084760b820bbb3299adc48b1291915c1286042613a7
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 35D0A72AF6E3A06BCB5533F468542A86F59CB82931F1344E7DA1C9F642DDAC8C6143D0
                                                                                                                                                                                                                                                                            Function 06DE0C0C Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 7e99bf3f6eebe5b5797c3c95c026a1e6208242cfc12b662172182b438bb4e11e
                                                                                                                                                                                                                                                                            • Instruction ID: c62dfdcee941b993dd63eca0771e021c031bfce906f5cae50bd944c72591fe9c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7e99bf3f6eebe5b5797c3c95c026a1e6208242cfc12b662172182b438bb4e11e
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 03D0A7367101286B93447618DC9996E7BA9EB983603504437F90183224CD71AC1583E5
                                                                                                                                                                                                                                                                            Function 06DEA406 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 4250e2fbf20198937eb256b2e29a53f5c43c952b59e73deae542ffcb0cc323fd
                                                                                                                                                                                                                                                                            • Instruction ID: 4d73b144d1f9d0d952a068c7acea1467d5778f4991214dae66b754da558ec427
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4250e2fbf20198937eb256b2e29a53f5c43c952b59e73deae542ffcb0cc323fd
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 20C080B694831786975118E560050D13711C4512D93551077D0494C51DC536C443F550
                                                                                                                                                                                                                                                                            Function 06DE3D10 Relevance: .0, Instructions: 16COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 2817b4a51bd20dbf948ef1918c9f3874770c5fd68ba79cc52ddb961dddcbaf3b
                                                                                                                                                                                                                                                                            • Instruction ID: 9ed122951552ad6f389c0004a31d7ea87b88a317e5a5cc6398b773963eb5caa0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2817b4a51bd20dbf948ef1918c9f3874770c5fd68ba79cc52ddb961dddcbaf3b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C4D05E30A5120DEFCB40DFB9EA5299DBBF9EB44204B1041A9E909D3380EE313F009B90
                                                                                                                                                                                                                                                                            Function 06DEE32A Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: e1695473461b5ec4e215b53868098b35e876587e6c6837bcfa38cccdc75ff99f
                                                                                                                                                                                                                                                                            • Instruction ID: 180a52166c14d89357341dd5db684ffc782e2a0d51e8953f1f10286d36d88b3d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e1695473461b5ec4e215b53868098b35e876587e6c6837bcfa38cccdc75ff99f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 09E01230A0470FDBDB64EFE1C5547AE7772BB0430AF204415D501A6254EB74850ACF81
                                                                                                                                                                                                                                                                            Function 06DE2968 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: cdf8f30c0c4f48fcf4655925599a0fe4ada7df4ebf151815a478649b9c9d132a
                                                                                                                                                                                                                                                                            • Instruction ID: 79f3a828fdb40756b24c47f4aee6c704e65b67cd7e888bdbb73d3eb59f05360c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cdf8f30c0c4f48fcf4655925599a0fe4ada7df4ebf151815a478649b9c9d132a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5DD05E70911209DFCB00DFB4E942A5DBBF9EB44204B2086E5E408E7214EF315E06CB80
                                                                                                                                                                                                                                                                            Function 06DE3C98 Relevance: .0, Instructions: 14COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ad171962643c2ae700c9550084517e6abf1e6406f7ac730baf8d3400b7c2e42f
                                                                                                                                                                                                                                                                            • Instruction ID: ae1e11dc04b506dd4da9182e2268d5128d7d70c221051884e45cfd5946353d29
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ad171962643c2ae700c9550084517e6abf1e6406f7ac730baf8d3400b7c2e42f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CFD01230725304CFCB88FB69E56597977A9DB8864930088ACE90FC7341DF33E8128A80
                                                                                                                                                                                                                                                                            Function 06DE0440 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: d6bf5aa3cc5d637824f07708eedb921961c5123b2f531c3fd4de6b52649acd78
                                                                                                                                                                                                                                                                            • Instruction ID: 5c1c140243321aa1c584d69c1f39587f1d1827a89d4233a68054df97d32669af
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d6bf5aa3cc5d637824f07708eedb921961c5123b2f531c3fd4de6b52649acd78
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B3C08CB68006006FE200529804827FA97A4F3BA714F88C23AD0444410592222033E022
                                                                                                                                                                                                                                                                            Function 06DEA3AF Relevance: .0, Instructions: 10COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 671ccd034f80dd03df8f0455bcea1529b8a70658e7a6379186c497f9ccb0aab7
                                                                                                                                                                                                                                                                            • Instruction ID: 1885185e039bf89f756a91181581947b05b79534e9a0dc4f1c37da3b2d8c8631
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 671ccd034f80dd03df8f0455bcea1529b8a70658e7a6379186c497f9ccb0aab7
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6BB09B31640117478A1915946C0406572675B551797541079E54D4CB24C5238851D540
                                                                                                                                                                                                                                                                            Function 06DE46B0 Relevance: .0, Instructions: 9COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: d326b4ea01f55e69b38dc43ed3e1d3fd1c9ea33fca5dbeecbbccff561b5bf32a
                                                                                                                                                                                                                                                                            • Instruction ID: 45f3ca450846b886ded9e3c152dc51f801595628fc43192c8dcac7e0f0a719b4
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d326b4ea01f55e69b38dc43ed3e1d3fd1c9ea33fca5dbeecbbccff561b5bf32a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BCB092B090530CAF8620DA99980186ABBACDB0A210F0001D9E90887320D972AD1066D1

                                                                                                                                                                                                                                                                            Non-executed Functions

                                                                                                                                                                                                                                                                            Function 06DEF7E8 Relevance: 7.6, Strings: 6, Instructions: 116COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000018.00000003.1504379867.0000000006DE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DE0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_24_3_6de0000_rundll32.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: (cq$,cq$,cq$Hcq$`]dq$`]dq
                                                                                                                                                                                                                                                                            • API String ID: 0-1825324008
                                                                                                                                                                                                                                                                            • Opcode ID: 2c74aee79b794fa1f02d9d64924a340771d7aea15b1ef13fd5fcbac1feea1993
                                                                                                                                                                                                                                                                            • Instruction ID: de8c168fffc7a521a9c1a6215d14f40cb50b4f88e6a1d83eb76f347f232d0fdc
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2c74aee79b794fa1f02d9d64924a340771d7aea15b1ef13fd5fcbac1feea1993
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FA313831B141288FE7A8AB2DD49446E3BE5EF8A62132004AFD44ADB3E1CE21EC41C7D5

                                                                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                                                                            Function 00007FFE7D11C7FB Relevance: 3.9, Strings: 3, Instructions: 187COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: ^$|L_^$[zL_^
                                                                                                                                                                                                                                                                            • API String ID: 0-1341686810
                                                                                                                                                                                                                                                                            • Opcode ID: 5d00dce2f45c6b33b80de68049edc9133f475f069b1c6437c3603a5738ba357b
                                                                                                                                                                                                                                                                            • Instruction ID: 1f6afe963f09f7872de4f2274991a400584628276b78c822f4d28755aeba9f69
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5d00dce2f45c6b33b80de68049edc9133f475f069b1c6437c3603a5738ba357b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: FD51F617A1C6974AF622736CB8920FD7B95CF82374B1C0277D09C890B3EE196847C285
                                                                                                                                                                                                                                                                            Function 00007FFE7D111B97 Relevance: 2.8, Strings: 2, Instructions: 264COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: *"2Q$*"2Q
                                                                                                                                                                                                                                                                            • API String ID: 0-2209380242
                                                                                                                                                                                                                                                                            • Opcode ID: 20c030e7e245732e937f8aa1400ebe4722b5fba654dd13fd85d5a57e88c233ab
                                                                                                                                                                                                                                                                            • Instruction ID: 2f6f746ffbd97ef017f77efd851b13c964384fc97c8f0798026aaf79233f9535
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 20c030e7e245732e937f8aa1400ebe4722b5fba654dd13fd85d5a57e88c233ab
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6391232182D5975FFB71A77804666BE6BE09F06200F1806FBE4AD970B3FD1EAC529311
                                                                                                                                                                                                                                                                            Function 00007FFE7D112591 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: H
                                                                                                                                                                                                                                                                            • API String ID: 0-2852464175
                                                                                                                                                                                                                                                                            • Opcode ID: 58fde366a6225d1f0e7d1a571ba6ac5a18ba5fd180036c4273c8ead9f99b910f
                                                                                                                                                                                                                                                                            • Instruction ID: 88b5aa3622aae0cc3e21aa1106f1bad68f7420a439d0e43f0da8268b3013dd3f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 58fde366a6225d1f0e7d1a571ba6ac5a18ba5fd180036c4273c8ead9f99b910f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 23412831A1891E5FDBA4EB288455BED7BE1EF85300F0401FAD45DD71A3EE25AC42C740
                                                                                                                                                                                                                                                                            Function 00007FFE7D11CA7D Relevance: 1.4, Strings: 1, Instructions: 132COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: yL_^
                                                                                                                                                                                                                                                                            • API String ID: 0-4278417862
                                                                                                                                                                                                                                                                            • Opcode ID: 75641cd7befdfb29467171df25830c0e79f35c627fe24066c1bec93e0029bf33
                                                                                                                                                                                                                                                                            • Instruction ID: 20a922b94409cec7c3b80e527f8c36af8fc6eefd7757fda5a89bc454dff976c0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 75641cd7befdfb29467171df25830c0e79f35c627fe24066c1bec93e0029bf33
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2341C517B5C2A60AF31277BCB4520ED7B949F413A8B0C46B7D0CD894B3EE196887C299
                                                                                                                                                                                                                                                                            Function 00007FFE7D1125C4 Relevance: 1.3, Strings: 1, Instructions: 85COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: H
                                                                                                                                                                                                                                                                            • API String ID: 0-2852464175
                                                                                                                                                                                                                                                                            • Opcode ID: 584b07200daf34e7f7110915eca0ffaac1f6867a124adc8212205dc22b717b36
                                                                                                                                                                                                                                                                            • Instruction ID: f97c354bb1486a9742a50e6cb3143f8ea1e2a7a3e603afc3b52fe4f5c37d378b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 584b07200daf34e7f7110915eca0ffaac1f6867a124adc8212205dc22b717b36
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7D219431A1851A4FEFA4EB28D851BEDB7E1EF45300F0441B5E44DD72A3DE25AD86C780
                                                                                                                                                                                                                                                                            Function 00007FFE7D11CE2E Relevance: 1.3, Strings: 1, Instructions: 57COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: qL_H
                                                                                                                                                                                                                                                                            • API String ID: 0-3462653048
                                                                                                                                                                                                                                                                            • Opcode ID: 010798975e6ce94f6c20098d7d67a2351dcdccb941d2b98410bfcd3c682b5a82
                                                                                                                                                                                                                                                                            • Instruction ID: 5de84e96fe49178063b867d13e7944543afc8f2e0bbbd272bddda662feb981b5
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 010798975e6ce94f6c20098d7d67a2351dcdccb941d2b98410bfcd3c682b5a82
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A901F926A1D8890FD704D39CB8A52FDBFA1EF95250F1001B7D059C72A2DE152C53C341
                                                                                                                                                                                                                                                                            Function 00007FFE7D11DE18 Relevance: .8, Instructions: 815COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f132435671234d71704e214fc0829b7bab4203ddd79482d2cf65d6747ff45632
                                                                                                                                                                                                                                                                            • Instruction ID: e7ab8590f4f9a76352a9b4f8f959a9d085401479c10d5abc30ae6b0f4696af2d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f132435671234d71704e214fc0829b7bab4203ddd79482d2cf65d6747ff45632
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8C427431A18A1E8FDB64EF18D445AA973E1FF58310F5442BAD05DD32A6DA35FC82CB81
                                                                                                                                                                                                                                                                            Function 00007FFE7D11C798 Relevance: .8, Instructions: 751COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 9473de0efbd39d8622f6bea1d286cf6bc7aff3350210c944f8f61c23d1ea334a
                                                                                                                                                                                                                                                                            • Instruction ID: dc0794ea3c89cc5d389df25b611c713a8e3156f4b0de94791c002de26ee91537
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9473de0efbd39d8622f6bea1d286cf6bc7aff3350210c944f8f61c23d1ea334a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5A32083072C7464FD769DB2C849563977E1FF99310F14867EE4DAC72A2EA29F8028742
                                                                                                                                                                                                                                                                            Function 00007FFE7D11BEB0 Relevance: .4, Instructions: 350COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 853abb73a9b649640a80d0b81414e1422e0ac8a105ffabc03bd58182ee851d65
                                                                                                                                                                                                                                                                            • Instruction ID: d1265aa1feb05623499b147a14c97fbad73b34e890d7fe9c1c38203e1215ffa1
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 853abb73a9b649640a80d0b81414e1422e0ac8a105ffabc03bd58182ee851d65
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 29B1C532A6CA474FE7B5DA2C858067577E1FF55324F1406BAD0AEC31A1EA2AF841C741
                                                                                                                                                                                                                                                                            Function 00007FFE7D114DCC Relevance: .2, Instructions: 196COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: fecd33fca45ed3891f0017ec53e9e438469816868c9c7a88b76a4e50ba759761
                                                                                                                                                                                                                                                                            • Instruction ID: aa09f5626f37423a599bd04ac81338c6d05a6deea702ee7a25cfda5181f1f248
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fecd33fca45ed3891f0017ec53e9e438469816868c9c7a88b76a4e50ba759761
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: DF515031918A1C8FDB68DF68D845BEDBBF1FB59310F1482ABD04DD3252DE34A9858B81
                                                                                                                                                                                                                                                                            Function 00007FFE7D11C471 Relevance: .2, Instructions: 195COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 56156e031c9461a74d1d10f96271c10620f9405da6e315bcfd98c1db768f8b01
                                                                                                                                                                                                                                                                            • Instruction ID: a378ae341d2e47c3c430250d706a5acc4fe6abd951af0b61e54c23030f45dfd1
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 56156e031c9461a74d1d10f96271c10620f9405da6e315bcfd98c1db768f8b01
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 60512723728A2B4BE714BB6DA4450EDB3D5EFC4272B04063BD28DC65A3DF25B44786D1
                                                                                                                                                                                                                                                                            Function 00007FFE7D117B34 Relevance: .2, Instructions: 187COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 99dfd5f7ef6fa9f6c8e60338c5cb3d31d48daeffd2c51074f3e7ee0dded59598
                                                                                                                                                                                                                                                                            • Instruction ID: bd02bc826164bdccf8dc809996eec1b13e4195ac28c49beee1b1e12054d86eb6
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 99dfd5f7ef6fa9f6c8e60338c5cb3d31d48daeffd2c51074f3e7ee0dded59598
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D7518030518A4E8FEBA8DF28D8457A977E1FB58300F14822EE85DC33A5DB349945CB82
                                                                                                                                                                                                                                                                            Function 00007FFE7D118387 Relevance: .2, Instructions: 182COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 364bc77dc7abcdde2dec86be4bb1f4ecdef60c68d31c4461603044d162517e5f
                                                                                                                                                                                                                                                                            • Instruction ID: b9746645402a946b9c528e412141faf3c3d79a7e098a92fac428915f1e05f21b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 364bc77dc7abcdde2dec86be4bb1f4ecdef60c68d31c4461603044d162517e5f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 96518530518A4E4FEBA8DF28C8553B977D1FB58310F14822ED85DC76A5DF38A9458B82
                                                                                                                                                                                                                                                                            Function 00007FFE7D1198F3 Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 37e4a34f0ecd94b51819ee8db9b287c07ce3675ceeb5921e64799b0332f8ae22
                                                                                                                                                                                                                                                                            • Instruction ID: 54b504f3c974253f6d13d90680cd327dcbad5b42e4a04710383ac4c3cb0f3246
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 37e4a34f0ecd94b51819ee8db9b287c07ce3675ceeb5921e64799b0332f8ae22
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C351E632728B594FE761BB6CE4453EAB3D0FF88355F440A3ED089C25A2DB24B485C786
                                                                                                                                                                                                                                                                            Function 00007FFE7D11909E Relevance: .2, Instructions: 157COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f7108d25b4fc7983fa911f5953c84cc5c9e65f020d8c3c3d4ee1361b8a2785b1
                                                                                                                                                                                                                                                                            • Instruction ID: f3e898667d977d72599534b76e991db79e3edcdec6e16a7224b9a1bb5cb30458
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f7108d25b4fc7983fa911f5953c84cc5c9e65f020d8c3c3d4ee1361b8a2785b1
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EB41F271A1999A6FD741F77C842AAFE7FE0EF09200B0405FAE45DD72B3DE29A9118340
                                                                                                                                                                                                                                                                            Function 00007FFE7D119A00 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: bdf27ce10438c9cae3ea99e8bb055098d8842703f4fba0ec85373120eaff52ca
                                                                                                                                                                                                                                                                            • Instruction ID: dda6dd8cadaa90e2c0e2e07a3a24ada0513dba96a086967614f12eac0edf18fe
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bdf27ce10438c9cae3ea99e8bb055098d8842703f4fba0ec85373120eaff52ca
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 60318F31719C0E4FEAB8EA5C90A4BB963C2EF9C32135406BBD41DC72A9DD16EC418340
                                                                                                                                                                                                                                                                            Function 00007FFE7D118E3E Relevance: .1, Instructions: 114COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 3663cf71fab47e301b163a11b6bf3dbb5bf4a0bc333b3ea853a047881cad23ea
                                                                                                                                                                                                                                                                            • Instruction ID: 1b8703cba817b18a9c52947d60c25913d64a8cb429204c3193dfe4c7599f9c14
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3663cf71fab47e301b163a11b6bf3dbb5bf4a0bc333b3ea853a047881cad23ea
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CF310431A1954A6FEB54E77888161FD7BE1EF49200B4845FAE48DD72B3DE2D6C128341
                                                                                                                                                                                                                                                                            Function 00007FFE7D1201A0 Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 7974e8c153a529ef618eb187c753b7e04b403907afe59c39708999bed44beae5
                                                                                                                                                                                                                                                                            • Instruction ID: 0ce69c556a2c22aa55c06c0e7726bbfb41b800ff820484c2e352efa48863c35e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7974e8c153a529ef618eb187c753b7e04b403907afe59c39708999bed44beae5
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1421F43271991E0FDBA4DB5CA4147BAB7D2EF89211F4402BBE84CD72A1DE1B9D428381
                                                                                                                                                                                                                                                                            Function 00007FFE7D113DDA Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ceb3052e9f55bab5a97dbf4499dcd5c6addc07385011547011fe5d4c78e9100b
                                                                                                                                                                                                                                                                            • Instruction ID: b76f85a152293a7f2b34122498612d0fbae3dad5c9f70905f484025f11d59173
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ceb3052e9f55bab5a97dbf4499dcd5c6addc07385011547011fe5d4c78e9100b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1B31CE31E19A5E4FDB91EB6844152BEBBE1FF4A301B4406BAD40DD32B6EF299C418781
                                                                                                                                                                                                                                                                            Function 00007FFE7D11AD0C Relevance: .1, Instructions: 97COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 83a64cf183209a9fc28c8eed9a9ab473fc16bdd2d3268328bf6243ac8bd1a947
                                                                                                                                                                                                                                                                            • Instruction ID: 5ecd5f2a9f60b40af92f4a6ff944f7755b212556b762bd1b96cd1961c1727f43
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 83a64cf183209a9fc28c8eed9a9ab473fc16bdd2d3268328bf6243ac8bd1a947
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0821B322B6CD4A0BAB5DA61C64424FD37D1EB98350B04417FF45FC36A7ED29E8434685
                                                                                                                                                                                                                                                                            Function 00007FFE7D113C81 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 36cd0c8e8b705f6891587825deb13abc7cb95eac58c765974e3b17f7d46c9715
                                                                                                                                                                                                                                                                            • Instruction ID: e5f0509634877e7ddb5f3b4cb570315b1f7438283f8beb22ad1f84465ccda470
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 36cd0c8e8b705f6891587825deb13abc7cb95eac58c765974e3b17f7d46c9715
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B5218231A1890B4FEB98A728A0557BD77D2FF85351F5801BBE01DC71B6EE2A9C428740
                                                                                                                                                                                                                                                                            Function 00007FFE7D113C0E Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: a82f4f8511a0adcb309eb2dcb0681b12cd46e7c07bad5591f8f47bd715532d71
                                                                                                                                                                                                                                                                            • Instruction ID: 03c5f7d9581e163b43466c0dc3a0340d688a4926c864ba0800986df2aa39a28a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a82f4f8511a0adcb309eb2dcb0681b12cd46e7c07bad5591f8f47bd715532d71
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1A215331B2890B4FEB59A72890157BD72D2FF84301F54417BE01EC35B6EE2AAC418740
                                                                                                                                                                                                                                                                            Function 00007FFE7D113A0D Relevance: .1, Instructions: 88COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 636422dbea6d5a0ba97986dc3b81ba35f33457fbd5bd7240503e72f7340b3cc3
                                                                                                                                                                                                                                                                            • Instruction ID: cb52e9ad08794c9bffef8c15bed2d03b67def546a688d56e424121703e928024
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 636422dbea6d5a0ba97986dc3b81ba35f33457fbd5bd7240503e72f7340b3cc3
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9C215B3255E6CA2FD71697382C264FB7FA4DF8321071802EFE058D7172D91D59168391
                                                                                                                                                                                                                                                                            Function 00007FFE7D11B22D Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: bbf29926e3a66229e4ae0c4d59978561152fbdd71232a4659f7884c221f22c69
                                                                                                                                                                                                                                                                            • Instruction ID: 863f039c4003ead333b446bd10655dbfdafc6b8cb43980c49fa24d232a1b95bb
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: bbf29926e3a66229e4ae0c4d59978561152fbdd71232a4659f7884c221f22c69
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D3210817B5D5661AF35273AC78560FE2F54CF43379B0C0277D19CC94A3DD0A24478295
                                                                                                                                                                                                                                                                            Function 00007FFE7D1189B6 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f88efa7f200e8bf0dd7fd48c4c48a6329a7a651f5eae526d4de22bdb042af7f2
                                                                                                                                                                                                                                                                            • Instruction ID: 2dbe237597590134f66d09e9af43a0ce4ff9988a357eeba7aaafb057d81a48d0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f88efa7f200e8bf0dd7fd48c4c48a6329a7a651f5eae526d4de22bdb042af7f2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D531493051CB8C8FEB68DF28C8557D97BE1FB98350F14826AD849C7265CB34A945CB81
                                                                                                                                                                                                                                                                            Function 00007FFE7D118EB9 Relevance: .1, Instructions: 71COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 97de6299a9e3e761e6b400dbc90072c93643846594e3384c14866b0fcea9fccf
                                                                                                                                                                                                                                                                            • Instruction ID: 7fff3582f1fb71b4e863a4a506dd25b133cc38975c0aa0e71bf9f722834fa521
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 97de6299a9e3e761e6b400dbc90072c93643846594e3384c14866b0fcea9fccf
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0B212130A1954E6FEB44EB7888161FDBBE1EF89200B4840FAE49DC71B3ED296C029741
                                                                                                                                                                                                                                                                            Function 00007FFE7D11D206 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: e84d217fd433779b0bd47ebeb6750dd14c1be4af8665533cd8f469ed772c5354
                                                                                                                                                                                                                                                                            • Instruction ID: 590e6639fc54141bb92674fc660ee896b30685f7ddb8dfe7b1902c3b0687c646
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e84d217fd433779b0bd47ebeb6750dd14c1be4af8665533cd8f469ed772c5354
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2F113D3214DA4C8FCB85DF58D490DAABBE0FFA6354F50466FE04AC6160DA72D585CB82
                                                                                                                                                                                                                                                                            Function 00007FFE7D11A680 Relevance: .1, Instructions: 59COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: e6e395ae2215cdcff3bf8dec12c0a247c5a545da872e593bff09179ec811bc2b
                                                                                                                                                                                                                                                                            • Instruction ID: 35831dd017c09391e1c24847ab1afcf2808e0766b208cdb3a7e0b6e4711dd4b6
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e6e395ae2215cdcff3bf8dec12c0a247c5a545da872e593bff09179ec811bc2b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3001FC31A1C5491FD7A1D73C8459A7A3FE5EFD525070941FBD448C3266EE24DC028752
                                                                                                                                                                                                                                                                            Function 00007FFE7D11B1DF Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 0d9da248190f9a5172fcd06a080f76dd36b4dd0ac72c8625807608e233b030d8
                                                                                                                                                                                                                                                                            • Instruction ID: 70da0a82f94542a0978798a42c6f900ce22d7ae473c0a94d6fc2b5195b9c69dd
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0d9da248190f9a5172fcd06a080f76dd36b4dd0ac72c8625807608e233b030d8
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D4014723B5D5571AF366B26C24421FE2B98DF46328B0C02B7E19CC64A3EE0A28078295
                                                                                                                                                                                                                                                                            Function 00007FFE7D113B72 Relevance: .1, Instructions: 54COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 9433d23563d2a1d206b7d02d358965f9142eba12ee1d4959c507d4f9e422d7af
                                                                                                                                                                                                                                                                            • Instruction ID: 9c6ab2296d9eae82eae6b8e251a63ade491bbac8c3b1e676ff6d238ffaab3e29
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9433d23563d2a1d206b7d02d358965f9142eba12ee1d4959c507d4f9e422d7af
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6A01523185E7D91FC753AB744C684993FB0EE5721170945EFE494CB0B3EA185809C712
                                                                                                                                                                                                                                                                            Function 00007FFE7D11C7D7 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 839a85335454524353397634320b5e032459dc89b4c26029434788e17490d7be
                                                                                                                                                                                                                                                                            • Instruction ID: 790d42bb7af6571a9b44e2221c776e7ad75fcd4fa0b2ded489a144d9938986fc
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 839a85335454524353397634320b5e032459dc89b4c26029434788e17490d7be
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D9012B3771CA1A8AE311F768A8490FD7391DF91361B184B3FC059C72B2EE256A4A87C5
                                                                                                                                                                                                                                                                            Function 00007FFE7D1114FA Relevance: .1, Instructions: 52COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: d60f144cd4364540b32a736e1764f2d7922825252d035b398a622174cd54cde5
                                                                                                                                                                                                                                                                            • Instruction ID: c8bda28b71633c38108d4d74c6db362ea077ef9e0bec57e43673a3234b24d40c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d60f144cd4364540b32a736e1764f2d7922825252d035b398a622174cd54cde5
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E811A53150D6CC9FDB42EB7888656AA7FF1FF1A300F0805DAD445E72A3DA189915C752
                                                                                                                                                                                                                                                                            Function 00007FFE7D111D8C Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 1197f606a3fa6591573210e3781ce37097933e5e74071f60297c401e048a82a5
                                                                                                                                                                                                                                                                            • Instruction ID: de7c82d768599d1d35535f19a3bbfb2353a1e0b845ca7dbed570a8fc8fc144a3
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 1197f606a3fa6591573210e3781ce37097933e5e74071f60297c401e048a82a5
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3A012611E2D6574FFA705374041A3B9ABD19F01200F2942BAE859472F3FD1EBC819210
                                                                                                                                                                                                                                                                            Function 00007FFE7D119E38 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 4e95bec91a48c469924782c01b815c0f023c30efa731df1fc32bbcf57ef0ed27
                                                                                                                                                                                                                                                                            • Instruction ID: 089e9b530b4d207ae47d7ea696ab20ea9f182b549135374b4d9597fd00f53a8a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4e95bec91a48c469924782c01b815c0f023c30efa731df1fc32bbcf57ef0ed27
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 53F06831B1C90E0FD6D4E61C944477676D5FB99310F50027BE41DC3366EE2ADC418781
                                                                                                                                                                                                                                                                            Function 00007FFE7D11A89F Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 8bf67b115ce7c2e8daf8f1ea825922bc2603f5853062caff335a68d2fa19251c
                                                                                                                                                                                                                                                                            • Instruction ID: 401eb4f44cf34edb8fa835a3cde1e526ff482b8ab21344fcb3eb6b62122316f4
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8bf67b115ce7c2e8daf8f1ea825922bc2603f5853062caff335a68d2fa19251c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 97F09602B5DA0F0EF5E5955C255427C66C2EB88562B54527BD80EC21A6FD1A9C470341
                                                                                                                                                                                                                                                                            Function 00007FFE7D11CB75 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 9549ee8ff584e4ab5e735ae28b5f081fd6a258f96dbcc61318224d53b26d86d5
                                                                                                                                                                                                                                                                            • Instruction ID: 3320feec094b858e718f227c2b44c8928c6a25be750ab523e89384dfb328b1d4
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9549ee8ff584e4ab5e735ae28b5f081fd6a258f96dbcc61318224d53b26d86d5
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8C01D21153DF864ED366973884257BAABE2BF92304F0845ABD0DEC72E3EE696C05C315
                                                                                                                                                                                                                                                                            Function 00007FFE7D11C693 Relevance: .0, Instructions: 47COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ee9afad7133510add0deca2e01e62c601a9b38aa2a7764e70ca8db83f9cb92dd
                                                                                                                                                                                                                                                                            • Instruction ID: 3d5b03b1a5c34f28a2bff85e000c2a32b0130754930d76d1fb37e7a97c16ae5f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ee9afad7133510add0deca2e01e62c601a9b38aa2a7764e70ca8db83f9cb92dd
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5BF0AF35B189198FDAA4EB5CE855A6D73E2EF9971171101AAE009C32A6DE21EC42C7C1
                                                                                                                                                                                                                                                                            Function 00007FFE7D11CED3 Relevance: .0, Instructions: 45COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6d2891d33c1fadb891e1933b377f737cd2a3ad7c5a00b0a0befa1a6a2fade0f0
                                                                                                                                                                                                                                                                            • Instruction ID: c5d764a9ad65c2608d3a2a4719cf7c6e42964436304ec775c4289c29b5fb5e23
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6d2891d33c1fadb891e1933b377f737cd2a3ad7c5a00b0a0befa1a6a2fade0f0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C501F436D498898FD710E7ACAC917FDBBA1EF56250F4001B6D01D831A2CE257963C741
                                                                                                                                                                                                                                                                            Function 00007FFE7D11CE99 Relevance: .0, Instructions: 43COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: c05af320d2574b5290172503fbf2070d64a3a33cdf1f8094fdc5030507ae81e4
                                                                                                                                                                                                                                                                            • Instruction ID: 8fa00d9571fdabb8b5ca00b62d06f04618fe55c810034853062d108b979503e3
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c05af320d2574b5290172503fbf2070d64a3a33cdf1f8094fdc5030507ae81e4
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 36F0F611A1954C4FC700D39CA8A27FE7B95EF86250F5001F6D05D87292CA197A63C342
                                                                                                                                                                                                                                                                            Function 00007FFE7D113E3A Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6432fe6fce47521d689f7a431b1d6836ac9e5866ed53f56302472065de143c3d
                                                                                                                                                                                                                                                                            • Instruction ID: f296eb8269bc65ff401a53e5ab8b5241ec8d6c15f4d700dd8abb9d29b6964e8c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6432fe6fce47521d689f7a431b1d6836ac9e5866ed53f56302472065de143c3d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 1BF09631A19A1B5FE365E77C805967E6BE1EF48201B4405BEE44DD72F6DE29AC428380
                                                                                                                                                                                                                                                                            Function 00007FFE7D11A769 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 2c7cbafbf9f6987a719be4715984d2e9d3cc022517d4852479bf5141738c7b08
                                                                                                                                                                                                                                                                            • Instruction ID: fefb123cc6d682b76f3d02498d03fd3c29d773dea0a51f5d6073574d5456a827
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2c7cbafbf9f6987a719be4715984d2e9d3cc022517d4852479bf5141738c7b08
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 16F0AF3082878E4FCB46EF7888181BE7FB0FF19200B040AABD468C32A2DA795914C701
                                                                                                                                                                                                                                                                            Function 00007FFE7D11A8CA Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 3fdc31e248bb8c37b7bc6a787c35551a68b0a38ea7c1a8c8954066b956a42caa
                                                                                                                                                                                                                                                                            • Instruction ID: ed2c05ee3888c84b1016a7d873c493be89cb979fc12575b8891f88de6280ee7b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3fdc31e248bb8c37b7bc6a787c35551a68b0a38ea7c1a8c8954066b956a42caa
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6EF06512B6CE1F0FE695B66C25052BCA1C5EB88662F54557BD50EC21A2FD1E9C834241
                                                                                                                                                                                                                                                                            Function 00007FFE7D1133DA Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6236e9d8c50c35ed931d3275a43c6e74200ba6e6c63ff61e4c078b1e44729f47
                                                                                                                                                                                                                                                                            • Instruction ID: b98c2e719c45bbee25171bbe5b7fc16a75917e7a4d6883d675fe41480191a976
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6236e9d8c50c35ed931d3275a43c6e74200ba6e6c63ff61e4c078b1e44729f47
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EDF0B46144E7C90FD7939F7888285D63FF1ED57220B0901EFE484CB163D5598809C753
                                                                                                                                                                                                                                                                            Function 00007FFE7D113554 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: ed177a37fb3c5c74089961f03e6dbd9c5fa163e5841250f6a69eb44dffda4728
                                                                                                                                                                                                                                                                            • Instruction ID: d35bef1b13b0fd6ba887d0e74ad374847f2294cb7385560976496206e1d007f4
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: ed177a37fb3c5c74089961f03e6dbd9c5fa163e5841250f6a69eb44dffda4728
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BCF0E932A18D0F4FEBE5DB6C50116BE7BE1FFC8211B2002BAC42CC3269ED26AC124340
                                                                                                                                                                                                                                                                            Function 00007FFE7D113984 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: fd96b2f467d0f8df5332260f25d3e9a2e080e8f51351d1f3bc928ac0c1c0860c
                                                                                                                                                                                                                                                                            • Instruction ID: 94d670fc0980677ca5910c0c8bc01a6027dcd03109f5d890bef0435e5cce63c7
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fd96b2f467d0f8df5332260f25d3e9a2e080e8f51351d1f3bc928ac0c1c0860c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3EF0E933A18D1F4FEBA5D76C80252BE7BE1EFC8211B1002BBC42CD3165ED269C524340
                                                                                                                                                                                                                                                                            Function 00007FFE7D113864 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 30c9626a7acd3d1ab88b9df9f5ff1a54e3b0142756ec36495f3db42f3f90e56a
                                                                                                                                                                                                                                                                            • Instruction ID: bd78ba7a42d7017e16f18d6f95af0033513fb8175422daad60fb16e1ef965954
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 30c9626a7acd3d1ab88b9df9f5ff1a54e3b0142756ec36495f3db42f3f90e56a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 79F05432A18D0B4FEBA5D7AC50556BA7BE2EF89211B5403BAD42CD7269ED26DC124340
                                                                                                                                                                                                                                                                            Function 00007FFE7D1119D7 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: efc270e949ff195bba722357188de94cbb3ae94da7764a1574b9c3ef1a0727a0
                                                                                                                                                                                                                                                                            • Instruction ID: 7742e97a7df2d04552c06a355739ffa8aeeaaea0861c2ab2c3a29ecd619ddbce
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: efc270e949ff195bba722357188de94cbb3ae94da7764a1574b9c3ef1a0727a0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 78F05966A1CAAD0FE774966898183E97B82EF41300F0902FBD41DD32D3DC151D088392
                                                                                                                                                                                                                                                                            Function 00007FFE7D11A612 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 9ddc65d0bf6ee05c14cdb50cb8975ced5fed793e45db3ff2376f4ed23dd51a62
                                                                                                                                                                                                                                                                            • Instruction ID: 0350d82dce1d593c52491e62f1986d345100a4b6571d887c52e3fbbd7dbfdcfe
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9ddc65d0bf6ee05c14cdb50cb8975ced5fed793e45db3ff2376f4ed23dd51a62
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 51F08221668D4F4F9A98EB1CD4906BA73E2FF94340754557AC01EC359ADE28E8438740
                                                                                                                                                                                                                                                                            Function 00007FFE7D11B762 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 8221aa50b20cb542287c08f78d7d52ad836acb39b1788d01c9e0934b2249528d
                                                                                                                                                                                                                                                                            • Instruction ID: 06bbfbb868b2f8d7df68803e59802d0c0f03d3915b95a6d83762252fdad93fc7
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8221aa50b20cb542287c08f78d7d52ad836acb39b1788d01c9e0934b2249528d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 99F08220764D0E4F9A94EB1C90505BEB3D6FF94340758457AD01EC799ADE28E8428740
                                                                                                                                                                                                                                                                            Function 00007FFE7D11C860 Relevance: .0, Instructions: 34COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 0bbd2d045a147e727d971523d549cc9f5d2fad260910a7b2cf8a367bf0e73db4
                                                                                                                                                                                                                                                                            • Instruction ID: ede74ed13a5370ece7987ffe9ebfb1c6789826859cfe70e30c436f4cfed1c8cc
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0bbd2d045a147e727d971523d549cc9f5d2fad260910a7b2cf8a367bf0e73db4
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A8F02732A1C91A8AE718F624904C1FD33E3CF94311B04473BD42EC32F2EE642A458380
                                                                                                                                                                                                                                                                            Function 00007FFE7D113EC9 Relevance: .0, Instructions: 33COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: fb362e99da1f67a584aab3a60c18471b92364e76d131bc16eefa03986b68c50d
                                                                                                                                                                                                                                                                            • Instruction ID: d4b76c6d5da7970a2483c812b8d2a2456f5f5f84590eb76c5e73c9d6bf61b3e3
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: fb362e99da1f67a584aab3a60c18471b92364e76d131bc16eefa03986b68c50d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2BF0E531A5E54F4FDFA0ABA450516FDBBE1EF4A201B4401BAD55DD71A2EA3A9C11C380
                                                                                                                                                                                                                                                                            Function 00007FFE7D11D101 Relevance: .0, Instructions: 28COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 8d5bfe4ec4bfd07d0e6a05e05c82cb0344dc5844281cd9f933a263431f4790ba
                                                                                                                                                                                                                                                                            • Instruction ID: 9760524698c328cc533a900cb87b9a94807822560bbb1e7d7ee4c528d227cfb7
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8d5bfe4ec4bfd07d0e6a05e05c82cb0344dc5844281cd9f933a263431f4790ba
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: B2E02053F2985A4FDF5097A8BC035FDBBB1EF55211B0402B3C01993071EE1629124291
                                                                                                                                                                                                                                                                            Function 00007FFE7D11AD57 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f5e2c45145f62c434479503f70d98769db5af9c7dbcc31e56a45c0cd3ef56177
                                                                                                                                                                                                                                                                            • Instruction ID: 85cb728a1778d525d301c8111cc8580d918c439c0d3e64e46709fd39a0410c57
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f5e2c45145f62c434479503f70d98769db5af9c7dbcc31e56a45c0cd3ef56177
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F2E08622718D0A479F49AA2C445557D3BD2DF9D380B5406BDE40DD72A7FD14DC428686
                                                                                                                                                                                                                                                                            Function 00007FFE7D111DDE Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 93ef8487fb8c15fa41af5cdc336314c2fcc393f4d9adf10b9d99942db8585abe
                                                                                                                                                                                                                                                                            • Instruction ID: e670a40e0f789cb6512bf7b96d8076aea8bb841178bad16130c9f6aea2da947c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 93ef8487fb8c15fa41af5cdc336314c2fcc393f4d9adf10b9d99942db8585abe
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C4E0D811A2D6575FE7711374441A3BABBD06F44341F1502FAD898431F3FD1EAD918190
                                                                                                                                                                                                                                                                            Function 00007FFE7D111EE0 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 34cbdc69cc36b89cc5f8f83698886e60bccdc090bf8bf35fdf451943a1757897
                                                                                                                                                                                                                                                                            • Instruction ID: 00b8f0c12e1a12b6980ca6d3218c469f9120fa8a883c1828beaecdcb2c026c09
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 34cbdc69cc36b89cc5f8f83698886e60bccdc090bf8bf35fdf451943a1757897
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A9E0D851A1E58A1FE74193B8482A2ADBFD0DF05100F1442E9D488C7063DD1A28564381
                                                                                                                                                                                                                                                                            Function 00007FFE7D11A6F9 Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 7064c9391ecfd539c4b0216476f817384554f49461565fdb4ee5ba133f45312b
                                                                                                                                                                                                                                                                            • Instruction ID: 7b2a0695ce32a77fe7de9c9776b13e3877ea23f07fae52b868bad54da5850a1a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 7064c9391ecfd539c4b0216476f817384554f49461565fdb4ee5ba133f45312b
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 27D0122374D50E0BD648559CB4452E873C2E789320F50023AE55EC2293DD5F88825241
                                                                                                                                                                                                                                                                            Function 00007FFE7D11A638 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: eb378351478f0ce44e3d8dffb3bac8b97a531386f15e7cc51b952c0df90f7b44
                                                                                                                                                                                                                                                                            • Instruction ID: f663d1fc3493c5f13010d7fa5f745bc5babd5dfbc4910c2fc4ba4bf3acc391c7
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: eb378351478f0ce44e3d8dffb3bac8b97a531386f15e7cc51b952c0df90f7b44
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CBD0A703BA9D0F0A9A49B22CB4955FC63C2DBD41A07480777D41EC319AEC5D59830741
                                                                                                                                                                                                                                                                            Function 00007FFE7D11B788 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: a283d82e11195db6466c3df49096348c8981be879ad3a36deed4f524330f4c61
                                                                                                                                                                                                                                                                            • Instruction ID: 960ba1597bbd0f9f456a2e1a89cf1d15b247b786f7c89a945189fc626c58106d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a283d82e11195db6466c3df49096348c8981be879ad3a36deed4f524330f4c61
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EED0A701B58D0E0B9A89B26C74559FDB3C6DBC41A1B8C06B7D40EC75ABED5C58834340
                                                                                                                                                                                                                                                                            Function 00007FFE7D11983C Relevance: .0, Instructions: 22COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: d80bf118e39415622245d236c2b631d0955e46f64151b5a0ef42af89961d52a9
                                                                                                                                                                                                                                                                            • Instruction ID: 2570554e176f521dd69f7c34bd713772cefdd8e4f4f4f469215b071f9b6aaf69
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d80bf118e39415622245d236c2b631d0955e46f64151b5a0ef42af89961d52a9
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A0D01212B79D1F0A94A5A31C785527C5186DB84150B494373D41CC726ADD1D9C820281
                                                                                                                                                                                                                                                                            Function 00007FFE7D111580 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 65acddfa58490fa8aca94a81c92c157451af949261402fe7bbaf8c311d5bded6
                                                                                                                                                                                                                                                                            • Instruction ID: f5d2b09d2ba5093898bdc95d52d98f2ac986eabae8e0f1239c5d1b1df87e4282
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 65acddfa58490fa8aca94a81c92c157451af949261402fe7bbaf8c311d5bded6
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D4E0CD2094D15A5FC700D76DE8915FFBFF4EF8511070005A6D569931A2CE2926358B50
                                                                                                                                                                                                                                                                            Function 00007FFE7D11B60C Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 5584af894134769bada472e3da683320d73c48ada7caa68368182ec419823973
                                                                                                                                                                                                                                                                            • Instruction ID: a1e00d9ed577a9feee80ca01d18861bfccc57a4676b6c14b6ebbc1ff0f44a6de
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5584af894134769bada472e3da683320d73c48ada7caa68368182ec419823973
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 00E0CD12618E4B06D271D65841547F937D2EB95320F14022BC05EC2396DE29B8478341
                                                                                                                                                                                                                                                                            Function 00007FFE7D119ABA Relevance: .0, Instructions: 19COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 4903fe463a1a0bacc5c45384a71545c463ab5d79fa7b46bab56d20baeb774590
                                                                                                                                                                                                                                                                            • Instruction ID: 594122ff7f0541e5950dbe737bf7c810d93d725efc46775a581c0983c8f4e2d2
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 4903fe463a1a0bacc5c45384a71545c463ab5d79fa7b46bab56d20baeb774590
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 15D05E3089958E6FD701EB68A8554FE7FA9EF45200F0404EBE43D974A3DE2926618701
                                                                                                                                                                                                                                                                            Function 00007FFE7D11B400 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: f11e9cd337d534afef8f61e7b8c42bce7338cfa5ad9199d373114d8bb0a8988a
                                                                                                                                                                                                                                                                            • Instruction ID: de9aa708042bb41a1a4cfe8c06d3e60ce7ee9bdc555eeadb2af5698a491bb9f7
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: f11e9cd337d534afef8f61e7b8c42bce7338cfa5ad9199d373114d8bb0a8988a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3CE08C22E285088ADB40EB6894845ECBBB2EF9C210F28013AC409F3156EE286802CB10
                                                                                                                                                                                                                                                                            Function 00007FFE7D111E44 Relevance: .0, Instructions: 17COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 671ded0d0ebbd48037a8a8a5fe19bef599baa2e6018d5225547abdf5a86ea203
                                                                                                                                                                                                                                                                            • Instruction ID: 52d70584d9583bf59c7a45b513fd0f19d8e0ebcdde52a67af7ab9de068496df7
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 671ded0d0ebbd48037a8a8a5fe19bef599baa2e6018d5225547abdf5a86ea203
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 38E02B20A1954A6FD740EB78885E7BABBE1DF0A300F0400D8D089C7173DD1878518341
                                                                                                                                                                                                                                                                            Function 00007FFE7D11A1B0 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: a10f0ab5609b7fec455460cddd481fe8a120f2c7e529ae5fa30fd98ed66cf3ed
                                                                                                                                                                                                                                                                            • Instruction ID: 9a62d68e918e6bb20daeff15fe96b1cfe3209e6b49b40ca601b50ead916f262a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a10f0ab5609b7fec455460cddd481fe8a120f2c7e529ae5fa30fd98ed66cf3ed
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6DC08C12B6890B0AA650B25CB8818FEB381DB842207545637D02EC119ADC2EE8870340
                                                                                                                                                                                                                                                                            Function 00007FFE7D11B348 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 923a34da743932ad54ca221009ded2459473201024f57a6319e8c83d08a7b5b2
                                                                                                                                                                                                                                                                            • Instruction ID: 1b4b78895830f6dfb08f093dbc891293e03a0deebf9294ec41e065d28c1fb0fa
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 923a34da743932ad54ca221009ded2459473201024f57a6319e8c83d08a7b5b2
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3DD05E2096865E1FD384EB6858256FE6AAAAF4420070405EAA039D71A3DD1C25118200
                                                                                                                                                                                                                                                                            Function 00007FFE7D111E75 Relevance: .0, Instructions: 13COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 00000019.00000002.1686713122.00007FFE7D110000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D110000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_25_2_7ffe7d110000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 605c25a4699d962842db7f79069028cd54ec60cc791940da3f4a1573864e9892
                                                                                                                                                                                                                                                                            • Instruction ID: b65000c1da94c56fd8e7c0051ded7251a496c97d2f535f03f551bb23c0055f97
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 605c25a4699d962842db7f79069028cd54ec60cc791940da3f4a1573864e9892
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 25D0C9A052E6861FE70167B8086E6AABFD1AF09300F5800E9E499971B3ED0A79614256

                                                                                                                                                                                                                                                                            Executed Functions

                                                                                                                                                                                                                                                                            Function 00007FFE7D0FCE2E Relevance: 1.3, Strings: 1, Instructions: 56COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Strings
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID: qN_H
                                                                                                                                                                                                                                                                            • API String ID: 0-3454480406
                                                                                                                                                                                                                                                                            • Opcode ID: a7bbd3f5d399775652efe9439434016a16635c04ad9bf1dfa584fe54a1f7b467
                                                                                                                                                                                                                                                                            • Instruction ID: 3739f3af0a24262b7f6d34cda614295e09bf7f11a3c9c6c7b1cc07574262033e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: a7bbd3f5d399775652efe9439434016a16635c04ad9bf1dfa584fe54a1f7b467
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EF012D26F185484FD710D39CA8A62FEBBD3EF89320F2051BAD059D7291DE1438538741
                                                                                                                                                                                                                                                                            Function 00007FFE7D0FDE18 Relevance: .8, Instructions: 813COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 14b8e974a76e9fd17809129d98a65f9fcd5d678e5ce462dea4a495b16950f468
                                                                                                                                                                                                                                                                            • Instruction ID: 21ddf6a65ea6a18fb541f335852c9776e05ac066467f1285dbdc8caea6821f37
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 14b8e974a76e9fd17809129d98a65f9fcd5d678e5ce462dea4a495b16950f468
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C2426131A18A1E8FDB64EF18D445AA973E1FF59310F1442AAD05DD32A6DA35FC82CB81
                                                                                                                                                                                                                                                                            Function 00007FFE7D0FC798 Relevance: .8, Instructions: 752COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 228f80ca95f2b32d2a242e8928f0acc946c97f56af6a02ed20b0869b7ebfcced
                                                                                                                                                                                                                                                                            • Instruction ID: b126b1c057ebb3aed31971eb1ca231c337e2a0401ae6fd308084487c21cfbf5f
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 228f80ca95f2b32d2a242e8928f0acc946c97f56af6a02ed20b0869b7ebfcced
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 44322A3062C74E4FD768EB2D949563977E1FF99300F14867ED4DAC72A2EA34E8068742
                                                                                                                                                                                                                                                                            Function 00007FFE7D0FD36F Relevance: .2, Instructions: 201COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: b76429df12f130a34b95403e00b303c6ac6c9167a3e0bd5350d25e69ed8f2699
                                                                                                                                                                                                                                                                            • Instruction ID: 309bd4049a8ff80e8e72eceb0523016003d506198e0c3ae4ebcd3ac6ab4e0fd7
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b76429df12f130a34b95403e00b303c6ac6c9167a3e0bd5350d25e69ed8f2699
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7351D43161CB098FDB58DB1CE4416A6B7E2FF95311F24067ED49DC3261EA36F8468782
                                                                                                                                                                                                                                                                            Function 00007FFE7D0F4DDA Relevance: .2, Instructions: 190COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: d1bad980e059f1e665d9bf33677c59dc26e909cd90fb32a9469a506640314102
                                                                                                                                                                                                                                                                            • Instruction ID: 70a2a3daf46124235bd73cc6172cead7565902714e187173652b4b7370732a9c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: d1bad980e059f1e665d9bf33677c59dc26e909cd90fb32a9469a506640314102
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 5B518031908A1C8FDB64DF58D845BEDBBF1FB58310F1482ABD40DE3252DE34A9858B81
                                                                                                                                                                                                                                                                            Function 00007FFE7D0F98F3 Relevance: .2, Instructions: 181COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 5d1cf6e2f8c38bd91fc332a073704911d708df81f414d640e9d71deed6971111
                                                                                                                                                                                                                                                                            • Instruction ID: 891024627da2f59fd8a3ff57aa65281ef2e0758b796bd908916d2adaf6bd44bc
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 5d1cf6e2f8c38bd91fc332a073704911d708df81f414d640e9d71deed6971111
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 2E51D732628B594FE751B76CE4053EDB3D0FF98365F440A7ED089C35A2DB64A485C782
                                                                                                                                                                                                                                                                            Function 00007FFE7D0FC4D0 Relevance: .2, Instructions: 166COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 16b79297945d100a7347986a4ac5f339734092d17bd7667e84c0a0e59c9d3e7f
                                                                                                                                                                                                                                                                            • Instruction ID: c4cbca5785173f1d84d13783fe29e4cb15b0c3e1a344a8ef7a506be82bba9e9d
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 16b79297945d100a7347986a4ac5f339734092d17bd7667e84c0a0e59c9d3e7f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 05411923B1CA1A86E215775DE8420FD73C1EFC4372B24063BD28DC65A2DF24B44782D5
                                                                                                                                                                                                                                                                            Function 00007FFE7D0F909E Relevance: .2, Instructions: 159COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: b20cfec86c1c02186da3f517caf021f5a762da184236bc47087f7746ec55c0e5
                                                                                                                                                                                                                                                                            • Instruction ID: 15ab6221b230b45a3b6a8de59e9ad02e194dcee2bb238de0521201a29b950ef5
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b20cfec86c1c02186da3f517caf021f5a762da184236bc47087f7746ec55c0e5
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 51418221A1D989AFD791F77C446A9FE7BE1EF09200B1445FAD449DB2B3DE38A8418340
                                                                                                                                                                                                                                                                            Function 00007FFE7D0F2591 Relevance: .2, Instructions: 155COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: b7d8ad1ab407bdf811de9a64d02e242cd30ca8ff9793c77704e109569926b1a6
                                                                                                                                                                                                                                                                            • Instruction ID: 1f4a29c7e88977334a7ca5a34e1a270d4687975885c4e50d64c5adfa9320755e
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b7d8ad1ab407bdf811de9a64d02e242cd30ca8ff9793c77704e109569926b1a6
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 0041F631A1C94D4FDBA4EB3884557EA7BE3EF89300F1441B9D05DD72A2DE34B8868740
                                                                                                                                                                                                                                                                            Function 00007FFE7D0F9A00 Relevance: .1, Instructions: 136COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 69a1014138c3fd9c84193e326a5171e822f03adf872aaeadbd67622260b52270
                                                                                                                                                                                                                                                                            • Instruction ID: ec24e834aaa39eddeaf694ddfe24a92418bfe47df5acac82121944b68b64c9cf
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 69a1014138c3fd9c84193e326a5171e822f03adf872aaeadbd67622260b52270
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 46314F31719D0E4FEAB8E65DA4A4AB563C2FFAC31172406BBD41DC72A9ED25EC418381
                                                                                                                                                                                                                                                                            Function 00007FFE7D0FB22D Relevance: .1, Instructions: 127COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: aba53de28891e0ee1e71400394f60152b659e24b07682d00ba17644ecc1d9db1
                                                                                                                                                                                                                                                                            • Instruction ID: ecc835936c008009c728e55395caa11563db455fcd53772dbe75ef1cfa33cffb
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aba53de28891e0ee1e71400394f60152b659e24b07682d00ba17644ecc1d9db1
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9131EA17B4826A0BF75273ACB8A21EE2B55DF4127970C42B3D18CC94A3DE08244786D5
                                                                                                                                                                                                                                                                            Function 00007FFE7D1001A0 Relevance: .1, Instructions: 99COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 9c0c1a63c6a725c260362dd20fee5d044a1dc4f88425573e1618ae5dd63dc0cf
                                                                                                                                                                                                                                                                            • Instruction ID: 4ef5dbe7245a3e2bc0df3388bf0e6d5336dd5966931b85c245944fcfee402905
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 9c0c1a63c6a725c260362dd20fee5d044a1dc4f88425573e1618ae5dd63dc0cf
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BD21F43271991D4FDBA4E71CA4147BAB7C2EF89311F4402FBE44CD73A1DE2A98428381
                                                                                                                                                                                                                                                                            Function 00007FFE7D0F3DDA Relevance: .1, Instructions: 98COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: e9dfe99366cd55ef388e33d83a537ce90400bda0dbd2df0b56fe3e97b0a5777f
                                                                                                                                                                                                                                                                            • Instruction ID: 4900d930a21ad5afe56ddfd4fa826c4dc0f34c9e6b17b00f650f21a2f3d75d66
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e9dfe99366cd55ef388e33d83a537ce90400bda0dbd2df0b56fe3e97b0a5777f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8F31E231E18A4D4FEBA1EB6884152BEBBF2EF49311B5501BAC40DD72A2DF38AC458740
                                                                                                                                                                                                                                                                            Function 00007FFE7D0F3C81 Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 15a457dfdd3a0b4209b61e662bb2d8028d997c8d37ae9b462fb2920917f43137
                                                                                                                                                                                                                                                                            • Instruction ID: 8cbbe408736371623a8e44b850c57ff6a60435aa43c6ada4292cc28d547e511b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 15a457dfdd3a0b4209b61e662bb2d8028d997c8d37ae9b462fb2920917f43137
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 81218531F18A0A4FEB98A72890567BD73D3FF85351F2851BAD00DC71B2EE39A8418740
                                                                                                                                                                                                                                                                            Function 00007FFE7D0FAD0C Relevance: .1, Instructions: 96COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 8bd4b44a713f8524d468726c7cae528274e6ad70e7d20642fb540e142816a9e8
                                                                                                                                                                                                                                                                            • Instruction ID: 8bde40d80a3ed8562e33ea646837af90b032b9a9fd6c5fcb6d691cfd090d004b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 8bd4b44a713f8524d468726c7cae528274e6ad70e7d20642fb540e142816a9e8
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 15210722B6CE4A0BAB0DA61C64424FD33D2EF98350B14517FE45FC36A7EE28F8434685
                                                                                                                                                                                                                                                                            Function 00007FFE7D0FD84D Relevance: .1, Instructions: 94COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 2ac70252d9b4405df648c3b939cf5236436f7504221ea7a7bcd1b9f36e84fa7f
                                                                                                                                                                                                                                                                            • Instruction ID: 1597f65b635c350c21f8d0d68bdcc3ffd2003b601bff3280d2b2780f67e70ec9
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2ac70252d9b4405df648c3b939cf5236436f7504221ea7a7bcd1b9f36e84fa7f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D1217130718A088FDB58EB2CC454A2977E2FF98701B21056DE05AC76A6DF75FC52CB41
                                                                                                                                                                                                                                                                            Function 00007FFE7D0F3A0D Relevance: .1, Instructions: 91COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 64563e40ffaee8418ee1a799061da24bfe00f99f7100eaf17917c7ffce8d7f33
                                                                                                                                                                                                                                                                            • Instruction ID: 092c6640618cbfec70b078428e7eabdc0957fd3e0335a749f5a0a0d2ad7debbf
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 64563e40ffaee8418ee1a799061da24bfe00f99f7100eaf17917c7ffce8d7f33
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 7021293295D6C95FE767937858230FB7FE1DF8622072901FEC098D7162DE2864068391
                                                                                                                                                                                                                                                                            Function 00007FFE7D0F25C4 Relevance: .1, Instructions: 87COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: b4e2592fe9630496b47a71c7b1fe1e6768046b02a12aa3cbe945d805871ff82d
                                                                                                                                                                                                                                                                            • Instruction ID: 73ef7796df3931aa335e64ad7fda3aa1bcc96bd8f70af9a6712e02ffac129a60
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b4e2592fe9630496b47a71c7b1fe1e6768046b02a12aa3cbe945d805871ff82d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BD214131A189094FEBA4EB38D851BEA77E3EF49340F5481B9D44DD7292DE34BC868780
                                                                                                                                                                                                                                                                            Function 00007FFE7D0F89B6 Relevance: .1, Instructions: 83COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: aa1719c2b3fdeb198c193ae316da37988d6c591f21c839669bd60cc3afbbdc9c
                                                                                                                                                                                                                                                                            • Instruction ID: ab7f2d5e22f4edbd4f480883aecdff39dc008f997022a680a7415b3e0dd67f30
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: aa1719c2b3fdeb198c193ae316da37988d6c591f21c839669bd60cc3afbbdc9c
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6131493051CB8C8FEB64DF28C8557D97BE1FB98350F14826AD849C7265CB34A545CB81
                                                                                                                                                                                                                                                                            Function 00007FFE7D0FD206 Relevance: .1, Instructions: 68COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: e84d217fd433779b0bd47ebeb6750dd14c1be4af8665533cd8f469ed772c5354
                                                                                                                                                                                                                                                                            • Instruction ID: 0b36b0cc025de974e22f729ad9980c1c46a2a2a1db62b9b7c021bc972d680324
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e84d217fd433779b0bd47ebeb6750dd14c1be4af8665533cd8f469ed772c5354
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6B11303210CA4C8FCB85DF58E490DAABBE1EFA6354F50465FE04AC6160DA76E585CB81
                                                                                                                                                                                                                                                                            Function 00007FFE7D0FB1D0 Relevance: .1, Instructions: 61COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 97da519fee48762312dc78382715b94b0fbd1aeb12535aaa0b3fa66037deacfb
                                                                                                                                                                                                                                                                            • Instruction ID: f047ec06919e870cacdc661b0eb8794c32993faa1027ecff76be6787fbd1bce4
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 97da519fee48762312dc78382715b94b0fbd1aeb12535aaa0b3fa66037deacfb
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: CC01FE23A5D69A1AF756737C28521FE2F96DF46324F1C02B7D29CC64E3EE0838478285
                                                                                                                                                                                                                                                                            Function 00007FFE7D0F3B79 Relevance: .1, Instructions: 53COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: c47ce366a96936f192b56e86136571211287b06e1e5d36b491364843b2fe7f5a
                                                                                                                                                                                                                                                                            • Instruction ID: d994e5221281bf5c794c6641a5e1647dd58ae04c6ee26ed73e8292b9508f2b81
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c47ce366a96936f192b56e86136571211287b06e1e5d36b491364843b2fe7f5a
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 8601B571C0EBC81FD762D7744C2959A3FB1EE47221B0A01EFD448DB1A3DA286809C312
                                                                                                                                                                                                                                                                            Function 00007FFE7D0F1D8C Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: da5f351d29a2f0921ea12f2e1aaf6fa61de31318f1f09170d703f70ae79e1858
                                                                                                                                                                                                                                                                            • Instruction ID: 53049b61c6d72b519d83abec9457c045888e714491d45430d1d9dd9a87369b4b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: da5f351d29a2f0921ea12f2e1aaf6fa61de31318f1f09170d703f70ae79e1858
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 9D01A111D2D7468EF6709374041A3BB7BE3AF45640F3892B4C4594B2F3FE2CB4458252
                                                                                                                                                                                                                                                                            Function 00007FFE7D0F9E38 Relevance: .1, Instructions: 51COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: cf48e57b49e43c92214a849173aca594cb45b4f66aef5bc349b728b56959ee96
                                                                                                                                                                                                                                                                            • Instruction ID: 63e493f82d6eade788b3447770998e9329e9d842fd37ac398fb78a24a182134b
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: cf48e57b49e43c92214a849173aca594cb45b4f66aef5bc349b728b56959ee96
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C9F04F31B1890D0FDAE4EA6CA84476677D6EB98310B50127AE45DC3266EE29E8418791
                                                                                                                                                                                                                                                                            Function 00007FFE7D0FA89F Relevance: .0, Instructions: 48COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 737827cab437aeff2e6a5b6134272ed49ff3a6bdedbac29558e82f1aaaeb093d
                                                                                                                                                                                                                                                                            • Instruction ID: 982f95e8a96ed7360dd044df9c1b15bd8063053465d95df4b153e837e4327b4a
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 737827cab437aeff2e6a5b6134272ed49ff3a6bdedbac29558e82f1aaaeb093d
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A3F0F602B2DA0F0EF1E5955C251427D72C3EBC8261B64767BD80EC2166FE59A8530340
                                                                                                                                                                                                                                                                            Function 00007FFE7D0F1509 Relevance: .0, Instructions: 46COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 01a99c84f859cc88a742b5e514df41057aa6311b12ca24411830bafc3351c1f1
                                                                                                                                                                                                                                                                            • Instruction ID: 9594e26932c83f797b62f434d6a9c427d6a4b10d5cad838dc111e1c660e50636
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 01a99c84f859cc88a742b5e514df41057aa6311b12ca24411830bafc3351c1f1
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 70017131918A8CDFDB84EBBC88656EABBF1FF5D300F0904A9D045E72A2CA34A815C751
                                                                                                                                                                                                                                                                            Function 00007FFE7D0F3E3A Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 835a7980fcec07c60306862faae813dfd459050d8e9a05b94e427b4016a1e5de
                                                                                                                                                                                                                                                                            • Instruction ID: 32f261d57aef7573c666c54b6d9cb06129d3608f8d3c31557cb760c268ec0154
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 835a7980fcec07c60306862faae813dfd459050d8e9a05b94e427b4016a1e5de
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 17F0C231A1990A5FE7A5E73C846967F6BE2EF48210B5505B9D409D72A2DE28AC428340
                                                                                                                                                                                                                                                                            Function 00007FFE7D0FA769 Relevance: .0, Instructions: 41COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 16d0caf241b86f72d319069249fb9343748335cefe226d12c0251051fe885edb
                                                                                                                                                                                                                                                                            • Instruction ID: 91198dffd915e32a0c967f3a0622d246e84ddcf685513d6e070779b66653cc1c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 16d0caf241b86f72d319069249fb9343748335cefe226d12c0251051fe885edb
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C9016D319187CD4FDB96EF6888181AE7FB1FF55200B0405EBD468D71A2DB7969148741
                                                                                                                                                                                                                                                                            Function 00007FFE7D0FA8CA Relevance: .0, Instructions: 40COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: b44981dfa3a9b1cc4a32305cd9afa514abeba190678675f0eb751e20df878fcb
                                                                                                                                                                                                                                                                            • Instruction ID: 6cb8bb4e54664dbd72dc6d3f03c5cdf12b548dfa37c3f1ea3a030fabcb8142d0
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b44981dfa3a9b1cc4a32305cd9afa514abeba190678675f0eb751e20df878fcb
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 52F06512B6CE1F0FE695B66C25052BDA1C3EBC8661B64797BD40EC21A2FE5DA8934240
                                                                                                                                                                                                                                                                            Function 00007FFE7D0F3554 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 936a1f9cab21895fe1cc2cad60d327d97c95f210aaa430d7e89cd5ba424270b8
                                                                                                                                                                                                                                                                            • Instruction ID: 1d0578d81fdbe88937b23b6a81ce465317194b0a2f6478d8ad659d668c20ce73
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 936a1f9cab21895fe1cc2cad60d327d97c95f210aaa430d7e89cd5ba424270b8
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: BBF0543261894E4FEBA5D76C40255BB7BE3FFC8211B6502B9C41CC3265EE35B8414340
                                                                                                                                                                                                                                                                            Function 00007FFE7D0F3984 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: b9e3054b38557c4a966e4c7f7bfe02ad5030b8314fa2ed24d3056226533229f0
                                                                                                                                                                                                                                                                            • Instruction ID: 27a567c7c1cfaeb6a94bae70dd2242d5660214485010707b0c60ac1bdb6e9655
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: b9e3054b38557c4a966e4c7f7bfe02ad5030b8314fa2ed24d3056226533229f0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: E8F05432A1C94B4FEBE5D76C40252BB77E3EF88211B6512BAC45CD3265EE34A8424340
                                                                                                                                                                                                                                                                            Function 00007FFE7D0F3864 Relevance: .0, Instructions: 37COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: c598a00fda06ef025ae63c509b0859c6a05ce5519807e2ac189e7249adbaa200
                                                                                                                                                                                                                                                                            • Instruction ID: 5b18f9de44f8c635ae90885a3eb554f4bceb0cf041ed86c263ff6a7276a20217
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: c598a00fda06ef025ae63c509b0859c6a05ce5519807e2ac189e7249adbaa200
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 55F05B3261494A4FE7A5D76C40151BB7BD3EFC82117750675C42CC7265DE35A8534340
                                                                                                                                                                                                                                                                            Function 00007FFE7D0F19D7 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: e5c3ecd1403c122afb68f2b0eab25e51a53068f81f6739d5d4d73226cf3f1be0
                                                                                                                                                                                                                                                                            • Instruction ID: 3e7dd82b3c2eb8251fffcb9488134603f7a85e3aa41153920c0dbfb986c61004
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: e5c3ecd1403c122afb68f2b0eab25e51a53068f81f6739d5d4d73226cf3f1be0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A4F05967A1CA9C0EE774976898143EA3A83EF85310F1801FBD50DD32D3DC142D0887E2
                                                                                                                                                                                                                                                                            Function 00007FFE7D0FA612 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 3c9b87ff9dfd03aa98920cab761146a5c8c3ba02d8066b3b24a4d7e021fd45db
                                                                                                                                                                                                                                                                            • Instruction ID: 6236e41349eef9c7ed206691f076a85086e149b99c6dc8e55111cf289910748c
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 3c9b87ff9dfd03aa98920cab761146a5c8c3ba02d8066b3b24a4d7e021fd45db
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 6BF08221664D0E4FDA98EB1CD090ABE73D2FF94340754557AD01EC369ADE28E8424740
                                                                                                                                                                                                                                                                            Function 00007FFE7D0FB762 Relevance: .0, Instructions: 36COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 6993ffaa37dc6232061a94d8f41b18ce321169f9c18e2dc4c4e1b437859932bc
                                                                                                                                                                                                                                                                            • Instruction ID: d38a9340e7cea2e02bb76ca5b6eb67c3177a753185a6d91846cb5e5c77fdc549
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 6993ffaa37dc6232061a94d8f41b18ce321169f9c18e2dc4c4e1b437859932bc
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: EBF08220764D0E4F9A98EB1C90505BEB3D6FF94340758457AD01EC799ADE28E8428740
                                                                                                                                                                                                                                                                            Function 00007FFE7D0FC868 Relevance: .0, Instructions: 31COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 33234da69fd65b175070d32cfa193643b687dcdf8ef9e8c33406dc466e2ece60
                                                                                                                                                                                                                                                                            • Instruction ID: 31c793c71ed11bab74943141d85c0844bba612d497f05ed28ec9e17dfecd3687
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 33234da69fd65b175070d32cfa193643b687dcdf8ef9e8c33406dc466e2ece60
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: D9F0A032A189098AE758F62480592BA32D3DB98311B284B3BD42AD32B5EF647A458394
                                                                                                                                                                                                                                                                            Function 00007FFE7D0FAD57 Relevance: .0, Instructions: 26COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 0ad335590a7404cedb706d66586b82e6d0a32f5f1037ea9c817388eb8522a747
                                                                                                                                                                                                                                                                            • Instruction ID: 0ecb900b55e66d3c3c83b46f98f91ff6ae24c210941c2a2869823c9f50803ebd
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 0ad335590a7404cedb706d66586b82e6d0a32f5f1037ea9c817388eb8522a747
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3EE0D832B18E0A4BDB59A62C441547E37D3EF9C380B5411BCE40DD32A6FE24FC518685
                                                                                                                                                                                                                                                                            Function 00007FFE7D0FD106 Relevance: .0, Instructions: 25COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 769cbce4fd5f736e0cfac11f4b9a42a9c7ca8b99104ec541fcb84e9589e64ce6
                                                                                                                                                                                                                                                                            • Instruction ID: 9871e60c0663f2bcae2b92818c145a9a01aba974c736be4cb945a5971708e529
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 769cbce4fd5f736e0cfac11f4b9a42a9c7ca8b99104ec541fcb84e9589e64ce6
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F9E08C22A689989ECA5087A8AC162EDBBA6EA89212B0016B6C10AD3161EA2424164390
                                                                                                                                                                                                                                                                            Function 00007FFE7D0F1DDE Relevance: .0, Instructions: 24COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: baebf98847de74060c02cf2f9202ea167ef31fed07f9f7f475d05143628f955f
                                                                                                                                                                                                                                                                            • Instruction ID: 95cecd708906dd5fda75250e749270e49024efb6f20e23287764f88aaa1765de
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: baebf98847de74060c02cf2f9202ea167ef31fed07f9f7f475d05143628f955f
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: A4E0D81192C6564EF2715374041A3BB77D39F48741F2551B8C488471F3EE6CF4858291
                                                                                                                                                                                                                                                                            Function 00007FFE7D0FA638 Relevance: .0, Instructions: 23COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 19b2c7ac6f45d1024ee76636f6d11fbd782d9b212cff3bf6dc9d422ac9f90bf9
                                                                                                                                                                                                                                                                            • Instruction ID: cc1aa4edba16bbc00a3ebdbe051245ae371d4b7185c80a4e8a49b54f8b67e5f3
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 19b2c7ac6f45d1024ee76636f6d11fbd782d9b212cff3bf6dc9d422ac9f90bf9
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: F8D0A703BA8D0E0A9A49B22CB0959FD63C3DBD41A07581977D40EC719AED5C69830740
                                                                                                                                                                                                                                                                            Function 00007FFE7D0F1580 Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 81d84b2ffb57f501b7ea42f0f0b23530143a7285d5b9c4cc7edacc88a04883e1
                                                                                                                                                                                                                                                                            • Instruction ID: 4bd593b65845ad8f0ea41997411907682c3fcca32ec011395c76e5314fa59807
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 81d84b2ffb57f501b7ea42f0f0b23530143a7285d5b9c4cc7edacc88a04883e1
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 11E0C22094C19A9FC740D76EDCA15EE7FF1FF8A210B0004EAD169972A2CE3875368B61
                                                                                                                                                                                                                                                                            Function 00007FFE7D0FB60C Relevance: .0, Instructions: 21COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 40fa7bba2d57d6f97f8df4a0fd8d54f2a22abe6ab53470e0f89388ada7261ea0
                                                                                                                                                                                                                                                                            • Instruction ID: 388bb6e5a2bb0740b421e714d2e312b1b41e0386db07a70fe53efb8c37e93b02
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 40fa7bba2d57d6f97f8df4a0fd8d54f2a22abe6ab53470e0f89388ada7261ea0
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 21E0C222618E4A0AE271E61C8054BFA77C3EB94320F28026FC05EC23A6EF2CB4468740
                                                                                                                                                                                                                                                                            Function 00007FFE7D0FA1B0 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 2663463d1dbff6067ea25fe3fdafbb440f0473d7a0c8a9f1c4552cdf5b222b2e
                                                                                                                                                                                                                                                                            • Instruction ID: 8ae82c491ed0d58a3b688becba4b678b8865937affafe99ce8e0782f0bae5577
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 2663463d1dbff6067ea25fe3fdafbb440f0473d7a0c8a9f1c4552cdf5b222b2e
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: 3BC08C12B68A0A0AA650B25CB4818FFB382DB942207A46677D02EC119ADD2EE8870340
                                                                                                                                                                                                                                                                            Function 00007FFE7D0FB348 Relevance: .0, Instructions: 15COMMON
                                                                                                                                                                                                                                                                            Download Yara Rule
                                                                                                                                                                                                                                                                            Memory Dump Source
                                                                                                                                                                                                                                                                            • Source File: 0000001D.00000002.2141474307.00007FFE7D0F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFE7D0F0000, based on PE: false
                                                                                                                                                                                                                                                                            Joe Sandbox IDA Plugin
                                                                                                                                                                                                                                                                            • Snapshot File: hcaresult_29_2_7ffe7d0f0000_AgentPackageAgentInformation.jbxd
                                                                                                                                                                                                                                                                            Similarity
                                                                                                                                                                                                                                                                            • API ID:
                                                                                                                                                                                                                                                                            • String ID:
                                                                                                                                                                                                                                                                            • API String ID:
                                                                                                                                                                                                                                                                            • Opcode ID: 03bf4f5b431bbedea6d650892d930302e75ae10817b2ab0bda26a24b26fd67d1
                                                                                                                                                                                                                                                                            • Instruction ID: 3cc3b210bac10cf6f5c77b4d3f10d4f119985767113da2815891b64ae6128848
                                                                                                                                                                                                                                                                            • Opcode Fuzzy Hash: 03bf4f5b431bbedea6d650892d930302e75ae10817b2ab0bda26a24b26fd67d1
                                                                                                                                                                                                                                                                            • Instruction Fuzzy Hash: C3D05E1096864E4ED384E77C58251FD6BA6AF4920070444FA9029D71A3DE682401C200