Edit tour

Windows Analysis Report
SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi

Overview

General Information

Sample name:	SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi
Analysis ID:	1484988
MD5:	46a75de058e385dd2682950f346f943b
SHA1:	61213bed0ef6103cfbb95772bde3d2206cba2c06
SHA256:	21c84b112b3f5c7bfa77f10353397d17feb3d2b991f66129a3ca70014e6389a6
Tags:	msi
Infos:

Detection

AteraAgent

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected AteraAgent

AI detected suspicious sample

Bypasses PowerShell execution policy

Creates files in the system32 config directory

Found suspicious powershell code related to unpacking or dynamic code loading

Installs Task Scheduler Managed Wrapper

Loading BitLocker PowerShell Module

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)

Reads the Security eventlog

Reads the System eventlog

Sample is not signed and drops a device driver

Yara detected Generic Downloader

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates COM task schedule object (often to register a task for autostart)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

PE file does not import any functions

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores large binary data to the registry

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses net.exe to stop services

Uses taskkill to terminate processes

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Process Tree

System is w10x64

msiexec.exe (PID: 5588 cmdline: "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi" MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 5456 cmdline: C:\Windows\system32\msiexec.exe /V MD5: E5DA170027542E25EDE42FC54C929077)

msiexec.exe (PID: 5948 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding FBC342A8ABDF04038F10EFC029C1656D MD5: 9D09DC1EDA745A5F87553048E57620CF)

rundll32.exe (PID: 1268 cmdline: rundll32.exe "C:\Windows\Installer\MSI2852.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5908796 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 2360 cmdline: rundll32.exe "C:\Windows\Installer\MSI2EAC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5910218 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 2520 cmdline: rundll32.exe "C:\Windows\Installer\MSI3F86.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5914531 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7124 cmdline: rundll32.exe "C:\Windows\Installer\MSI5DC1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5922250 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd MD5: 889B99C52A60DD49227C5E485A016679)

msiexec.exe (PID: 4744 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding B756259567EEAEDF13A18B94143184C3 E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)

net.exe (PID: 1848 cmdline: "NET" STOP AteraAgent MD5: 31890A7DE89936F922D44D677F681A7F)

conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

net1.exe (PID: 5060 cmdline: C:\Windows\system32\net1 STOP AteraAgent MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)

taskkill.exe (PID: 2232 cmdline: "TaskKill.exe" /f /im AteraAgent.exe MD5: CA313FD7E6C2A778FFD21CFB5C1C56CD)

conhost.exe (PID: 1628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AteraAgent.exe (PID: 2704 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="flaviolimapontescliente01@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000KZFzxIAH" /AgentId="f59f3442-6117-4640-8aae-6ef22eb1ae8f" MD5: 477293F80461713D51A98A24023D45E8)

msiexec.exe (PID: 6184 cmdline: C:\Windows\syswow64\MsiExec.exe -Embedding 44E5FE7B78B93D720BE1B364377A940C E Global\MSI0000 MD5: 9D09DC1EDA745A5F87553048E57620CF)

rundll32.exe (PID: 5052 cmdline: rundll32.exe "C:\Windows\Installer\MSI2160.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5972437 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 7344 cmdline: rundll32.exe "C:\Windows\Installer\MSI245F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5973109 41 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart MD5: 889B99C52A60DD49227C5E485A016679)

rundll32.exe (PID: 4616 cmdline: rundll32.exe "C:\Windows\Installer\MSI48FF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5982484 46 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation MD5: 889B99C52A60DD49227C5E485A016679)

AteraAgent.exe (PID: 1684 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)

sc.exe (PID: 5060 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 5604 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AgentPackageAgentInformation.exe (PID: 5344 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "f3f8c138-efff-44a7-8aff-78b661b79ea9" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KZFzxIAH MD5: ACCE8B17DE63299AA4D5CB7D709BEEDC)

conhost.exe (PID: 3936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AgentPackageAgentInformation.exe (PID: 6460 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "97d527e2-ace6-4af1-87ff-fd0bb84d12a8" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KZFzxIAH MD5: ACCE8B17DE63299AA4D5CB7D709BEEDC)

conhost.exe (PID: 3136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AgentPackageAgentInformation.exe (PID: 4676 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "93138382-7cb2-4c66-b5a0-34a2c11202fd" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000KZFzxIAH MD5: ACCE8B17DE63299AA4D5CB7D709BEEDC)

conhost.exe (PID: 1400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AgentPackageAgentInformation.exe (PID: 7196 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "31b88dde-1623-4466-adb0-05f466efd2ea" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000KZFzxIAH MD5: ACCE8B17DE63299AA4D5CB7D709BEEDC)

conhost.exe (PID: 7204 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7320 cmdline: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7340 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cscript.exe (PID: 7388 cmdline: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus MD5: 24590BF74BBBBFD7D7AC070F4E3C44FD)

powershell.exe (PID: 7884 cmdline: "powershell.exe" Set-ExecutionPolicy Bypass -Scope CurrentUser MD5: 04029E121A0CFA5991749937DD22A1D9)

conhost.exe (PID: 7904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 7536 cmdline: "cmd.exe" /c powershell.exe -File "C:\Program Files (x86)\Microsoft Office\Office16\vNextDiag.ps1" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)

conhost.exe (PID: 7576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 2796 cmdline: powershell.exe -File "C:\Program Files (x86)\Microsoft Office\Office16\vNextDiag.ps1" MD5: 04029E121A0CFA5991749937DD22A1D9)

AgentPackageMonitoring.exe (PID: 7516 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "15ce275a-be83-4afa-bdcf-3f7d4cc3415d" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000KZFzxIAH MD5: B50005A1A62AFA85240D1F65165856EB)

conhost.exe (PID: 7524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AteraAgent.exe (PID: 3292 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" MD5: 477293F80461713D51A98A24023D45E8)

sc.exe (PID: 6780 cmdline: "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000 MD5: 3FB5CF71F7E7EB49790CB0E663434D80)

conhost.exe (PID: 6412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AgentPackageUpgradeAgent.exe (PID: 8028 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "d993a967-e5b2-425f-a13a-df33fb52e8f5" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000KZFzxIAH MD5: 6095B43FA565DA44E7A818CFB4BACBA2)

conhost.exe (PID: 8036 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 5808 cmdline: "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart MD5: E5DA170027542E25EDE42FC54C929077)

AgentPackageSTRemote.exe (PID: 8124 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "4b2bcc99-0697-449c-87dd-e9f93a323079" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000KZFzxIAH MD5: A86B9D7A0085275F89BBD0878DBDEE3B)

conhost.exe (PID: 8132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AgentPackageTicketing.exe (PID: 6780 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "c5fd7c57-20f4-4d3e-91a5-de108e1018e5" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000KZFzxIAH MD5: 54641F84257F1C9A13FA136CA5640449)

conhost.exe (PID: 7212 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AgentPackageInternalPoller.exe (PID: 7532 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "659c678a-03f4-46f8-a144-5552c5e31eca" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000KZFzxIAH MD5: 01807774F043028EC29982A62FA75941)

conhost.exe (PID: 7596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Agent.Package.Watchdog.exe (PID: 5668 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "9714075a-7bec-49a9-9497-61d2edb1cb2b" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ==" 001Q300000KZFzxIAH MD5: 0B7534A49A757D7525F7FC966D6CAF5F)

conhost.exe (PID: 884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AgentPackageSystemTools.exe (PID: 3780 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "6bd80e1c-f436-4cf9-8790-13938e064803" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000KZFzxIAH MD5: E71D2B1309BAFB7AB80B449B882339CF)

conhost.exe (PID: 1272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

AgentPackageHeartbeat.exe (PID: 4708 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "0dbdfe1d-c093-4c9b-82ad-6e5a3763b364" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000KZFzxIAH MD5: 797C9554EC56FD72EBB3F6F6BEF67FB5)

conhost.exe (PID: 4372 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Agent.Package.Watchdog.exe (PID: 5068 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "9714075a-7bec-49a9-9497-61d2edb1cb2b" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ==" 001Q300000KZFzxIAH MD5: 0B7534A49A757D7525F7FC966D6CAF5F)

conhost.exe (PID: 1856 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

Conhost.exe (PID: 6644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

svchost.exe (PID: 7728 cmdline: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager MD5: B7F884C1B74A263F746EE12A5F7C9F6A)

AgentPackageUpgradeAgent.exe (PID: 3732 cmdline: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun MD5: 6095B43FA565DA44E7A818CFB4BACBA2)

conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Dropped Files

Source	Rule	Description	Author
C:\Windows\Temp\~DF6D33A0ADC94BBBE5.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DFE5923E136715CD1F.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Config.Msi\5a26d9.rbs	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Config.Msi\5a26d1.rbs	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DF603903B513D5BCB4.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DFCEE123E47C423CC1.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
dropped/ConDrv	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
dropped/ConDrv	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
dropped/ConDrv	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DF6E209428833F2CD1.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DF4E59C1764FE9126C.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Installer\MSI7776.tmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DFB0521A0F76C387C2.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DF790C55AF4C3DCBC5.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DF6893122F8D5FBA49.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DF6893122F8D5FBA49.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DFBE13C9327F3F7CB6.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DF0C43DC00A9844606.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Installer\MSI2EAC.tmp-\AlphaControlAgentInstallation.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DF05EBE42A91F6CC4B.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DFB39156E6B5BBCE6A.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DFB39156E6B5BBCE6A.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Windows\Temp\~DF6EF34059F1021E6F.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\AteraSetupLog.txt	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DFABF0B432F70445F5.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Installer\MSI3F86.tmp-\AlphaControlAgentInstallation.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Installer\MSI2160.tmp-\AlphaControlAgentInstallation.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Installer\MSI2160.tmp-\AlphaControlAgentInstallation.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
C:\Windows\Installer\MSI5DC1.tmp-\AlphaControlAgentInstallation.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Installer\MSI5DC1.tmp-\AlphaControlAgentInstallation.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DF821A8781B12F81CE.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Installer\MSI4330.tmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Config.Msi\5a26cc.rbs	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Installer\MSI5880.tmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DF2CD737AE208E96F1.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Installer\MSI48FF.tmp-\AlphaControlAgentInstallation.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\System32\InstallUtil.InstallLog	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Temp\~DFCBEA40FF15FC580C.TMP	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Installer\MSI2852.tmp-\AlphaControlAgentInstallation.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
C:\Windows\Installer\MSI245F.tmp-\AlphaControlAgentInstallation.dll	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
\Device\ConDrv	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Click to see the 61 entries

Memory Dumps

Source	Rule	Description	Author	Strings
00000034.00000002.2734005619.000001F433494000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000017.00000002.2264112406.000001B668C30000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000038.00000002.2709175078.000001E861C9C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000D.00000002.2153248860.000001E2ABEBC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E543928000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000011.00000002.2200238195.0000000004477000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002F.00000002.2924086021.000001E302300000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000027.00000002.2932952613.000000C28C743000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000013.00000002.2247425634.00000267BA3A0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2559206056.000001CFDBC48000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2559206056.000001CFDBB30000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000D.00000002.2152585479.000001E2AA271000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002D.00000002.3273707942.0000023D460C5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2834297506.000001E542370000.00000004.00000020.00040000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000D.00000002.2152585479.000001E2AA2A0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000034.00000002.2734005619.000001F43327E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2589449099.000001CFF43E8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002B.00000002.2630910511.000002E0027A0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000027.00000002.2936902415.000001E45C410000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000003B.00000002.2789137147.000001BABC509000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002F.00000003.2922053260.000001E3022FF000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000013.00000002.2248418409.00000267BA590000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2559206056.000001CFDBEC4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.2266447306.0000024E7C400000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.2260910212.0000024E00047000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002D.00000002.3266755368.00000065D0B31000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.3045083540.000001E55B92D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000013.00000002.2248887172.00000267BABC3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000021.00000002.2359837565.0000026E262E0000.00000004.00000020.00040000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000003B.00000002.2789137147.000001BABC491000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000020.00000002.3267482446.0000019B442B0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000031.00000003.2661038149.000000000462B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E543A50000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000D.00000002.2155535704.00007FF848B24000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002D.00000002.3273707942.0000023D4608C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000033.00000003.2689661385.0000022086C40000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001C.00000002.3174174470.00000163096D3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000021.00000002.2369780213.0000026E40655000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2827959743.00000027A7AE8000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E543065000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002F.00000003.2875187580.000001E302270000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000013.00000002.2248721633.00000267BAAC2000.00000002.00000001.01000000.00000018.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E54360D000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002B.00000002.2630910511.000002E0027A8000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001C.00000002.3244506065.0000016322B42000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000D.00000002.2153248860.000001E2ABDC9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000029.00000002.3274308757.000002695D07C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000034.00000002.2760858194.000001F44BBF5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000003B.00000002.2787382050.000001BABC432000.00000002.00000001.01000000.00000041.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E5432C8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001C.00000002.3183499015.000001630A25A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000034.00000002.2734005619.000001F4333D5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2556640926.000001CFDAF28000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2559206056.000001CFDB89E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000003C.00000002.2811860268.0000019246402000.00000002.00000001.01000000.00000043.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000003C.00000002.2799943703.000001924633E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2559206056.000001CFDB791000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000017.00000002.2264112406.000001B668CBC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000021.00000000.2322894948.0000026E261F2000.00000002.00000001.01000000.0000001A.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E543A79000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000003C.00000002.2799943703.00000192462BC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E542C9C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000033.00000002.3089682303.00000220869B0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002D.00000002.3288600100.0000023D46B92000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2589449099.000001CFF43E0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002D.00000002.3285143958.0000023D46872000.00000002.00000001.01000000.00000049.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000017.00000002.2260286662.000001B600083000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E5435FF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000021.00000002.2362218873.0000026E2727E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000011.00000002.2200238195.00000000043D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000D.00000002.2152585479.000001E2AA210000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000029.00000002.3285991937.000002695D94A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.2264872270.0000024E7C050000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.3045083540.000001E55B885000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001C.00000002.3174174470.0000016309699000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000029.00000002.3274308757.000002695CFF0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000034.00000002.2734005619.000001F433261000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002D.00000002.3285746888.0000023D46892000.00000002.00000001.01000000.0000004B.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000D.00000002.2154503758.000001E2C4850000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2559206056.000001CFDB926000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000006.00000003.2084104559.0000000004AD5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000D.00000002.2153248860.000001E2ABE72000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000038.00000002.2709175078.000001E861C90000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000017.00000002.2264112406.000001B668C38000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000034.00000002.2734005619.000001F43349E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000027.00000002.2938598314.000001E45C453000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001C.00000002.3183499015.000001630A257000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000D.00000002.2154536366.000001E2C4976000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000013.00000002.2248887172.00000267BAB51000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000013.00000002.2247425634.00000267BA3EE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000027.00000002.2947709393.000001E45C665000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000027.00000002.2942637569.000001E45C4FC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000003C.00000002.2799943703.00000192462F1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001E.00000002.2575534278.0000018C7FD30000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000021.00000002.2362218873.0000026E26CE1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000003C.00000002.2818917909.0000019246AB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2831365475.00000027A82F5000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E543A19000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000D.00000002.2154117226.000001E2C4779000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000011.00000003.2158928933.0000000004328000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2830451765.00000027A81E9000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000003B.00000002.2772275360.000001BABBCC0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.3035623763.000001E55B4D6000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E54392A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2835670930.000001E54253C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000027.00000002.2938598314.000001E45C49B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000034.00000002.2724831615.000001F432C1B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2559206056.000001CFDBB33000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2559206056.000001CFDBA56000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001E.00000002.2575434147.0000018C7FB6B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001E.00000003.2274406570.0000018C7FD50000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001C.00000002.3181429809.00000163099F0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001E.00000002.2575434147.0000018C7FB83000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E54317E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E543606000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2595880171.000001CFF4906000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000013.00000002.2247425634.00000267BA3A5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000025.00000002.2615805731.00000206678A3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E543A4E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000D.00000002.2153248860.000001E2ABE75000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000029.00000002.3274308757.000002695D039000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2835670930.000001E5425D1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.2260910212.0000024E00073000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000029.00000002.3283401681.000002695D2E0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000003B.00000002.2772890811.000001BABBDDC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000027.00000002.2999155152.000001E4753A0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2559206056.000001CFDB7E8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000032.00000002.2753876487.0000000004611000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000021.00000002.2369489506.0000026E40217000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000027.00000002.2938598314.000001E45C461000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000D.00000002.2152585479.000001E2AA216000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E542D6A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000003C.00000002.2833195274.000001925F2F0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.2260910212.0000024E00001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000005.00000002.2078628555.0000000004CB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000027.00000002.2942637569.000001E45C4B4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000034.00000002.2734005619.000001F4334A0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002B.00000002.2630910511.000002E0027DE000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000034.00000002.2724831615.000001F432BDB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.2264872270.0000024E7C059000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000027.00000002.2948323551.000001E45CCB7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2559206056.000001CFDBBBD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2829711183.00000027A80F1000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.2260910212.0000024E00083000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000025.00000002.2615805731.0000020668A11000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000021.00000002.2360088406.0000026E26550000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002D.00000002.3273707942.0000023D4610F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000005.00000002.2078628555.0000000004D54000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002D.00000002.3273707942.0000023D46080000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000017.00000002.2264036436.000001B668C20000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000034.00000002.2724831615.000001F432B50000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000034.00000002.2734005619.000001F433280000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002B.00000002.2630910511.000002E002826000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E543919000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000027.00000002.2936416893.000001E45C3E0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E5433E2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000029.00000002.3285991937.000002695D840000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000021.00000002.2360088406.0000026E26510000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000D.00000002.2153248860.000001E2ABE09000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001C.00000002.3219024041.00000163227B0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2559206056.000001CFDBA4E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002B.00000002.2635428988.000002E002980000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000003B.00000002.2772890811.000001BABBD5C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E5434DC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.3045083540.000001E55B8E4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E543A2A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2559206056.000001CFDBAF4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2589449099.000001CFF4448000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000021.00000002.2379942506.00007FF8A03F9000.00000004.00000001.01000000.0000001B.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E543978000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000017.00000002.2260286662.000001B600073000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2556602593.000001CFDAF10000.00000004.00000020.00040000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.3045083540.000001E55B942000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000003A.00000003.2761236038.0000000004D86000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E54354F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002D.00000002.3283209157.0000023D46430000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001C.00000002.3174174470.00000163096CD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000D.00000002.2152372049.000001E2AA200000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001C.00000002.3183499015.000001630A289000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000013.00000002.2248887172.00000267BABD3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2559206056.000001CFDBA10000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002B.00000002.2638178858.000002E002FC3000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000029.00000002.3274308757.000002695CFFC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E543577000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E543A5A000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000032.00000003.2668222570.00000000044BC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2559206056.000001CFDBC0C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.3045083540.000001E55B985000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E543A54000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000027.00000002.3002981073.000001E4753F1000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000D.00000002.2153248860.000001E2ABEA6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2558947208.000001CFDB220000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000027.00000002.2948323551.000001E45CDC9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2559206056.000001CFDBC62000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2559206056.000001CFDBBBA000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2555505411.000000155C2F5000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000036.00000002.2718929915.0000028681B3B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001C.00000002.3183499015.000001630A0DE000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000029.00000002.3285991937.000002695D711000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001C.00000002.3183499015.000001630A31F000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000033.00000002.3089682303.00000220869BB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000013.00000000.2229421092.00000267BA2B2000.00000002.00000001.01000000.00000016.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000021.00000002.2366710372.0000026E3F3A0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000036.00000002.3030057801.00000286F08C0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000034.00000002.2760858194.000001F44BB50000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000027.00000002.2948323551.000001E45CDB8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000029.00000000.2612366668.000002695CE12000.00000002.00000001.01000000.00000029.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000003F.00000002.2778689991.0000027604788000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2556640926.000001CFDAF5A000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000034.00000002.2734005619.000001F43349C000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000029.00000002.3274308757.000002695D030000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000003B.00000002.2772890811.000001BABBD91000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.2260910212.0000024E000BF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002F.00000002.2924328286.000001E302BE3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2559206056.000001CFDBD95000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000004.00000003.2032629720.0000000004B02000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000021.00000002.2366710372.0000026E3F3FD000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000025.00000002.2609908643.0000020666550000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000027.00000002.2938598314.000001E45C430000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000027.00000002.3002981073.000001E47543B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000013.00000002.2247425634.00000267BA360000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000017.00000002.2264112406.000001B668C6C000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000021.00000002.2359986359.0000026E26460000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.3035623763.000001E55B458000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000021.00000002.2360088406.0000026E26502000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002D.00000000.2624826314.0000023D45F72000.00000002.00000001.01000000.0000002A.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2825838156.00000027A76F4000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000D.00000002.2153248860.000001E2ABDF2000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000034.00000002.2732932291.000001F432E10000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2584991032.000001CFF3FAC000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000036.00000002.3044865188.00000286F1524000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002D.00000002.3288600100.0000023D46B31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000025.00000002.2615805731.00000206677A6000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000003C.00000002.2815241259.0000019246530000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000003C.00000002.2799943703.00000192462B0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000034.00000002.2760858194.000001F44BBA7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000029.00000002.3355927161.00000269760CB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000017.00000002.2260286662.000001B600001000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001C.00000002.3183499015.000001630A1B9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E543549000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000027.00000002.2948323551.000001E45CB41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002D.00000002.3288600100.0000023D46BAF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000029.00000002.3266806247.0000007FFB721000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001C.00000002.3228082364.0000016322892000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000027.00000002.3002383624.000001E4753D9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000021.00000002.2369527319.0000026E40415000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001C.00000002.3183499015.000001630A285000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000021.00000002.2360680043.0000026E26692000.00000002.00000001.01000000.0000001C.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2834811670.000001E5424D0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2835670930.000001E542500000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2559206056.000001CFDB814000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2559206056.000001CFDBC4B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2813710956.00000027A5F05000.00000004.00000010.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.2264872270.0000024E7C08D000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000D.00000002.2153248860.000001E2ABD41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.2264872270.0000024E7C0D7000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E543547000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000003B.00000002.2772890811.000001BABBD50000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000003C.00000002.2818917909.0000019246BFD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.3045083540.000001E55B8AB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001E.00000002.2575434147.0000018C7FB60000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000003B.00000000.2764706921.000001BABBB22000.00000002.00000001.01000000.0000003D.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2593246742.000001CFF45CA000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000033.00000002.3089978922.0000022086C20000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2584991032.000001CFF404E000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.3045083540.000001E55B903000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000015.00000002.2264872270.0000024E7C098000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000034.00000002.2724831615.000001F432B90000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2835670930.000001E542589000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2559206056.000001CFDBB78000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000027.00000000.2594468379.000001E45C232000.00000002.00000001.01000000.00000027.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000D.00000000.2098028173.000001E2AA112000.00000002.00000001.01000000.0000000F.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000D.00000002.2153248860.000001E2ABDCC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000025.00000002.2615805731.00000206686C8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E543756000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E5431FC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2589449099.000001CFF4423000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000027.00000002.3002981073.000001E4753E3000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002B.00000002.2638178858.000002E002F41000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2589449099.000001CFF447F000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2556640926.000001CFDAF20000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000033.00000002.3089682303.00000220869D9000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E543640000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2559206056.000001CFDBDC7000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000D.00000002.2152585479.000001E2AA251000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000005.00000003.2038794357.000000000498B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001C.00000002.3174174470.000001630971B000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2589449099.000001CFF44A5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000021.00000002.2369676343.0000026E40426000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000021.00000002.2360088406.0000026E264C0000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000029.00000002.3285991937.000002695D788000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002F.00000003.2921977102.000001E3022EB000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000034.00000000.2688823349.000001F4328E2000.00000002.00000001.01000000.00000035.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000032.00000002.2753876487.00000000046B4000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000002F.00000003.2916707362.000001E302270000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000003F.00000002.2778689991.0000027604780000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E543A80000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001C.00000002.3183499015.000001630A041000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000025.00000002.2615805731.00000206679C5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000036.00000002.3038002252.00000286F0BA5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001C.00000002.3174174470.0000016309690000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000001C.00000002.3183499015.000001630A1C0000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000025.00000002.2615805731.0000020668981000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000021.00000002.2362218873.0000026E26DCD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000019.00000002.2852883567.000001E542C31000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
0000000E.00000002.2556640926.000001CFDAFA5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000036.00000002.2718929915.0000028680233000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000036.00000002.2718929915.0000028680C33000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000025.00000002.2615805731.00000206681C9000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000025.00000002.2615805731.00000206672B8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000036.00000002.2718929915.0000028681633000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000025.00000002.2615805731.00000206683AD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
00000025.00000002.2615805731.0000020668A58000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: rundll32.exe PID: 1268	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: rundll32.exe PID: 2360	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: rundll32.exe PID: 2520	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: AteraAgent.exe PID: 2704	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: AteraAgent.exe PID: 1684	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: rundll32.exe PID: 7124	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: AgentPackageAgentInformation.exe PID: 5344	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: AgentPackageAgentInformation.exe PID: 6460	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: AgentPackageAgentInformation.exe PID: 4676	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: AteraAgent.exe PID: 3292	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: AgentPackageAgentInformation.exe PID: 7196	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: cmd.exe PID: 7320	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: cscript.exe PID: 7388	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: AgentPackageMonitoring.exe PID: 7516	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: powershell.exe PID: 7884	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: AgentPackageUpgradeAgent.exe PID: 8028	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: AgentPackageSTRemote.exe PID: 8124	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: AgentPackageUpgradeAgent.exe PID: 3732	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: AgentPackageTicketing.exe PID: 6780	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: msiexec.exe PID: 5808	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: rundll32.exe PID: 5052	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: rundll32.exe PID: 7344	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: cmd.exe PID: 7536	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: AgentPackageInternalPoller.exe PID: 7532	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: powershell.exe PID: 2796	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: powershell.exe PID: 2796	INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC	Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution	ditekSHen	0x2a030:$b2: ::FromBase64String( 0x2a00f:$b3: ::UTF8.GetString( 0x1aa54:$s1: -join 0x26163:$s1: -join 0x4717a:$s1: -join 0x471b5:$s1: -join 0x4726f:$s1: -join 0x4729d:$s1: -join 0x47442:$s1: -join 0x47465:$s1: -join 0x47718:$s1: -join 0x47739:$s1: -join 0x4776b:$s1: -join 0x477b3:$s1: -join 0x477e0:$s1: -join 0x47807:$s1: -join 0x47832:$s1: -join 0x4784e:$s1: -join 0x478b7:$s1: -join 0x47d3e:$s1: -join 0x47d60:$s1: -join
Process Memory Space: Agent.Package.Watchdog.exe PID: 5668	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: rundll32.exe PID: 4616	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: AgentPackageSystemTools.exe PID: 3780	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: AgentPackageHeartbeat.exe PID: 4708	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Process Memory Space: Agent.Package.Watchdog.exe PID: 5068	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Click to see the 340 entries

Unpacked PEs

Source	Rule	Description	Author
19.2.AgentPackageAgentInformation.exe.267baac0000.1.unpack	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
45.2.AgentPackageTicketing.exe.23d46890000.2.unpack	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
59.0.AgentPackageSystemTools.exe.1babbb20000.0.unpack	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
59.2.AgentPackageSystemTools.exe.1babc430000.1.unpack	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
33.2.AgentPackageMonitoring.exe.26e26690000.1.unpack	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
19.0.AgentPackageAgentInformation.exe.267ba2b0000.0.unpack	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
19.0.AgentPackageAgentInformation.exe.267ba2b0000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
52.0.AgentPackageInternalPoller.exe.1f4328e0000.0.unpack	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
45.2.AgentPackageTicketing.exe.23d46870000.1.unpack	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
45.2.AgentPackageTicketing.exe.23d46870000.1.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
45.0.AgentPackageTicketing.exe.23d45f70000.0.unpack	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
13.0.AteraAgent.exe.1e2aa110000.0.unpack	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
39.0.AgentPackageUpgradeAgent.exe.1e45c230000.0.unpack	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
41.0.AgentPackageSTRemote.exe.2695ce10000.0.unpack	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
60.2.AgentPackageHeartbeat.exe.19246400000.1.unpack	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
33.0.AgentPackageMonitoring.exe.26e261f0000.0.unpack	JoeSecurity_AteraAgent	Yara detected AteraAgent	Joe Security
Click to see the 11 entries

Sigma Signatures

System Summary

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: "powershell.exe" Set-ExecutionPolicy Bypass -Scope CurrentUser, CommandLine: "powershell.exe" Set-ExecutionPolicy Bypass -Scope CurrentUser, CommandLine|base64offset|contains: I~%, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "31b88dde-1623-4466-adb0-05f466efd2ea" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000KZFzxIAH, ParentImage: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, ParentProcessId: 7196, ParentProcessName: AgentPackageAgentInformation.exe, ProcessCommandLine: "powershell.exe" Set-ExecutionPolicy Bypass -Scope CurrentUser, ProcessId: 7884, ProcessName: powershell.exe

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Source: Process started

Author: Michael Haag: Data: Command: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, CommandLine|base64offset|contains: r+, Image: C:\Windows\System32\cscript.exe, NewProcessName: C:\Windows\System32\cscript.exe, OriginalFileName: C:\Windows\System32\cscript.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 7320, ParentProcessName: cmd.exe, ProcessCommandLine: cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus, ProcessId: 7388, ProcessName: cscript.exe

Sigma detected: Net.exe Execution

Source: Process started

Author: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding B756259567EEAEDF13A18B94143184C3 E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 4744, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 1848, ProcessName: net.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "powershell.exe" Set-ExecutionPolicy Bypass -Scope CurrentUser, CommandLine: "powershell.exe" Set-ExecutionPolicy Bypass -Scope CurrentUser, CommandLine|base64offset|contains: I~%, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "31b88dde-1623-4466-adb0-05f466efd2ea" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000KZFzxIAH, ParentImage: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, ParentProcessId: 7196, ParentProcessName: AgentPackageAgentInformation.exe, ProcessCommandLine: "powershell.exe" Set-ExecutionPolicy Bypass -Scope CurrentUser, ProcessId: 7884, ProcessName: powershell.exe

Sigma detected: Stop Windows Service Via Net.EXE

Source: Process started

Author: Jakob Weinzettl, oscd.community, Nasreddine Bencherchali (Nextron Systems): Data: Command: "NET" STOP AteraAgent, CommandLine: "NET" STOP AteraAgent, CommandLine|base64offset|contains: I3, Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: C:\Windows\syswow64\MsiExec.exe -Embedding B756259567EEAEDF13A18B94143184C3 E Global\MSI0000, ParentImage: C:\Windows\SysWOW64\msiexec.exe, ParentProcessId: 4744, ParentProcessName: msiexec.exe, ProcessCommandLine: "NET" STOP AteraAgent, ProcessId: 1848, ProcessName: net.exe

Sigma detected: Windows Processes Suspicious Parent Directory

Source: Process started

Author: vburov: Data: Command: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, CommandLine|base64offset|contains: , Image: C:\Windows\System32\svchost.exe, NewProcessName: C:\Windows\System32\svchost.exe, OriginalFileName: C:\Windows\System32\svchost.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 632, ProcessCommandLine: C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager, ProcessId: 7728, ProcessName: svchost.exe

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: 5a26d2.rbf (copy)	ReversingLabs: Detection: 21%
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	ReversingLabs: Detection: 21%

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi

ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.7% probability

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0274BC0 CryptAcquireContextW,GetLastError,CryptReleaseContext,CryptReleaseContext,CryptReleaseContext,	33_2_00007FF8A0274BC0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0274DE0 CryptReleaseContext,	33_2_00007FF8A0274DE0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0274E20 CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptEncrypt,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,CryptDestroyHash,	33_2_00007FF8A0274E20

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.config	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dll	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}

Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\InstallUtil.InstallLog
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\TEMP\AteraSetupLog.txt

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\license.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\license.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\license.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\license.txt	Jump to behavior

Source:	Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 00000021.00000002.2361978001.0000026E26C62000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: AgentPackageUpgradeAgent.exe, 00000027.00000002.3002981073.000001E47543B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000032.00000002.2748986402.0000000000B04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdb:g source: AgentPackageUpgradeAgent.exe, 00000027.00000002.3002981073.000001E47543B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.Hosting/Release/net6.0/Microsoft.Extensions.Hosting.pdb source: Microsoft.Extensions.Hosting.dll.25.dr
Source:	Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb l:l ,l_CorExeMainmscoree.dll source: AteraAgent.exe, 00000019.00000002.2852883567.000001E543A80000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 0000002D.00000000.2624826314.0000023D45F72000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000D.00000000.2098028173.000001E2AA112000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: mscorlib.pdbBu source: AgentPackageUpgradeAgent.exe, 00000027.00000002.3002981073.000001E4753F1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: rundll32.exe, 00000032.00000002.2757925943.000000000709D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000013.00000002.2248721633.00000267BAAC2000.00000002.00000001.01000000.00000018.sdmp, AgentPackageTicketing.exe, 0000002D.00000002.3285746888.0000023D46892000.00000002.00000001.01000000.0000004B.sdmp, AgentPackageSystemTools.exe, 0000003B.00000002.2787382050.000001BABC432000.00000002.00000001.01000000.00000041.sdmp, AgentPackageHeartbeat.exe, 0000003C.00000002.2811860268.0000019246402000.00000002.00000001.01000000.00000043.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb< source: AgentPackageAgentInformation.exe, 00000013.00000000.2229421092.00000267BA2B2000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000027.00000000.2594468379.000001E45C232000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: n\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000032.00000002.2748620083.0000000000877000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000032.00000002.2748986402.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?(nC:\Windows\Installer\MSI245F.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000032.00000002.2748620083.0000000000877000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 00000021.00000002.2369122956.0000026E3F772000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 00000021.00000002.2367814782.0000026E3F5D2000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbdeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000027.00000002.2932952613.000000C28C743000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 00000021.00000002.2360997395.0000026E26AA2000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb) source: rundll32.exe, 00000032.00000002.2748986402.0000000000B04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdbSHA256G source: AgentPackageInternalPoller.exe, 00000034.00000002.2758826390.000001F44B9F2000.00000002.00000001.01000000.00000038.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbTy source: AgentPackageUpgradeAgent.exe, 00000027.00000002.3002981073.000001E47543B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Installer\MSI245F.tmp-\AlphaControlAgentInstallation.PDB source: rundll32.exe, 00000032.00000002.2748986402.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdbSHA256 source: AgentPackageInternalPoller.exe, 00000034.00000002.2771383497.000001F44BDC2000.00000002.00000001.01000000.00000040.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000004.00000003.2032629720.0000000004B02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.000000000498B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004AD5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004328000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000462B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004D86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbdq source: AgentPackageTicketing.exe, 0000002D.00000002.3285746888.0000023D46892000.00000002.00000001.01000000.0000004B.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: Agent.Package.Watchdog.exe, 00000038.00000000.2704651850.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 00000038.00000002.2714164300.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 0000003F.00000000.2776315978.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 0000003F.00000002.2779712552.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000D.00000000.2098028173.000001E2AA112000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: AteraAgent.exe, 00000019.00000002.2852883567.000001E543577000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\533\obj\Microsoft.ApplicationInsights\Release\src\Microsoft.ApplicationInsights\net45\Microsoft.ApplicationInsights.pdb source: Microsoft.ApplicationInsights.dll.14.dr
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.Hosting/Release/net6.0/Microsoft.Extensions.Hosting.pdbSHA256-@ source: Microsoft.Extensions.Hosting.dll.25.dr
Source:	Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.pdb<\ source: AgentPackageUpgradeAgent.exe, 00000027.00000002.2932952613.000000C28C743000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb="* source: rundll32.exe, 00000032.00000002.2748986402.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageInternalPoller\AgentPackageInternalPoller\obj\Release\AgentPackageInternalPoller.pdb source: AgentPackageInternalPoller.exe, 00000034.00000000.2688823349.000001F4328E2000.00000002.00000001.01000000.00000035.sdmp
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000E.00000002.2593774093.000001CFF4802000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000E.00000002.2593774093.000001CFF4802000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2368580202.0000026E3F6B2000.00000002.00000001.01000000.00000022.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004DB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Installer\MSI245F.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000032.00000002.2748986402.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 00000021.00000002.2367604505.0000026E3F542000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: rundll32.exe, 00000032.00000002.2748986402.0000000000B04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 00000021.00000002.2367814782.0000026E3F5D2000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 00000013.00000000.2229421092.00000267BA2B2000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 00000021.00000002.2361978001.0000026E26C62000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: C:\Windows\AgentPackageUpgradeAgent.pdbpdbent.pdb(g6 source: AgentPackageUpgradeAgent.exe, 00000027.00000002.3002981073.000001E47543B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000004.00000003.2032629720.0000000004B02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.000000000498B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004AD5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004328000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000462B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000002.2748986402.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000002.2757925943.0000000007090000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004D86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000027.00000002.2932952613.000000C28C743000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.EnvironmentVariables/Release/net6.0/Microsoft.Extensions.Configuration.EnvironmentVariables.pdbSHA256 source: Microsoft.Extensions.Configuration.EnvironmentVariables.dll.25.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA10000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2249659287.00000267D33D2000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A2A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002B.00000002.2643531899.000002E01B6D0000.00000002.00000001.01000000.0000002C.sdmp, Newtonsoft.Json.dll6.25.dr
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: rundll32.exe, 00000032.00000002.2748986402.0000000000B04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.EnvironmentVariables/Release/net6.0/Microsoft.Extensions.Configuration.EnvironmentVariables.pdb source: Microsoft.Extensions.Configuration.EnvironmentVariables.dll.25.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA10000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2249659287.00000267D33D2000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A2A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2368580202.0000026E3F6B2000.00000002.00000001.01000000.00000022.sdmp, AgentPackageUpgradeAgent.exe, 0000002B.00000002.2643531899.000002E01B6D0000.00000002.00000001.01000000.0000002C.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004DB7000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll6.25.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: AteraAgent.exe, 00000019.00000002.2852883567.000001E543577000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: AgentPackageUpgradeAgent.exe, 00000027.00000002.3010018700.000001E4754A2000.00000002.00000001.01000000.00000045.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: AgentPackageUpgradeAgent.exe, 00000027.00000002.3010018700.000001E4754A2000.00000002.00000001.01000000.00000045.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdbr source: AgentPackageMonitoring.exe, 00000021.00000000.2322894948.0000026E261F2000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AgentPackageMonitoring.exe, 00000021.00000000.2322894948.0000026E261F2000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 00000027.00000002.2932952613.000000C28C743000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdb source: AgentPackageInternalPoller.exe, 00000034.00000002.2771383497.000001F44BDC2000.00000002.00000001.01000000.00000040.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi
Source:	Binary string: PC:\Windows\AgentPackageUpgradeAgent.pdbP source: AgentPackageUpgradeAgent.exe, 00000027.00000002.2932952613.000000C28C743000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb4X source: AgentPackageHeartbeat.exe, 0000003C.00000002.2811860268.0000019246402000.00000002.00000001.01000000.00000043.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageHeartbeat\AgentPackageHeartbeat\obj\Release\AgentPackageHeartbeat.pdb source: AgentPackageHeartbeat.exe, 0000003C.00000000.2765480855.0000019246092000.00000002.00000001.01000000.0000003F.sdmp
Source:	Binary string: em.pdb source: AteraAgent.exe, 00000019.00000002.3045083540.000001E55B8E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dows\dll\System.pdb source: rundll32.exe, 00000032.00000002.2748986402.0000000000B04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000004.00000003.2032629720.0000000004B02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.000000000498B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004AD5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004328000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000462B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004D86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 00000021.00000002.2360997395.0000026E26AA2000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: d:\svn\sr01\tim\dev\win32\stvideo\display\objfre_win7_x86\i386\stvideo.pdb source: stvideo.dll.2.dr
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000013.00000002.2248721633.00000267BAAC2000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000032.00000002.2757925943.00000000070A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: rundll32.exe, 00000032.00000002.2757925943.000000000709D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: devcon.pdb source: devcon64.exe0.2.dr
Source:	Binary string: pC:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 00000027.00000002.2932952613.000000C28C743000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDBM( source: AgentPackageUpgradeAgent.exe, 00000027.00000002.3002981073.000001E4753F1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\533\obj\Microsoft.ApplicationInsights\Release\src\Microsoft.ApplicationInsights\net45\Microsoft.ApplicationInsights.pdbCW source: Microsoft.ApplicationInsights.dll.14.dr
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: rundll32.exe, 00000032.00000002.2748986402.0000000000B04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbcccGCTL source: Agent.Package.Watchdog.exe, 00000038.00000000.2704651850.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 00000038.00000002.2714164300.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 0000003F.00000000.2776315978.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 0000003F.00000002.2779712552.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp
Source:	Binary string: d:\str\dev\win32\sthid\hidmapper\objfre_win7_x86\i386\hidkmdf.pdb source: hidkmdf.sys.2.dr
Source:	Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 00000021.00000002.2379577749.00007FF8A03BA000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.dr
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.2153873788.000001E2C4522000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll0.2.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rundll32.exe, 00000032.00000002.2748986402.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 00000027.00000002.2932952613.000000C28C743000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: d:\str\dev\win32\sthid\hidmapper\objfre_win7_x86\i386\hidkmdf.pdbN source: hidkmdf.sys.2.dr
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000D.00000002.2153873788.000001E2C4522000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll0.2.dr
Source:	Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 00000021.00000002.2369122956.0000026E3F772000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageTicketing\TicketingPackageExtensions\obj\Release\TicketingPackageExtensions.pdb source: AgentPackageTicketing.exe, 0000002D.00000002.3285143958.0000023D46872000.00000002.00000001.01000000.00000049.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi
Source:	Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdb source: AgentPackageInternalPoller.exe, 00000034.00000002.2758826390.000001F44B9F2000.00000002.00000001.01000000.00000038.sdmp
Source:	Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000027.00000002.3002981073.000001E47543B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb source: AteraAgent.exe, 00000019.00000002.2852883567.000001E543A80000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 0000002D.00000000.2624826314.0000023D45F72000.00000002.00000001.01000000.0000002A.sdmp

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer32
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\LocalServer
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Elevation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF848A91873h	13_2_00007FF848A90C1D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF848A91A44h	13_2_00007FF848A90C1D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF848A91FFFh	13_2_00007FF848A90C1D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF848A9227Bh	13_2_00007FF848A90C1D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF848A91FFFh	13_2_00007FF848A91EB6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF848A91FFFh	13_2_00007FF848A91E9A
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF848A91FFFh	13_2_00007FF848A91E7E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF848A91873h	13_2_00007FF848A9184E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF848A91A44h	13_2_00007FF848A9184E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF848ABB972h	14_2_00007FF848ABB5E7
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF848AA1A44h	14_2_00007FF848AA1A34
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF848AA4ECBh	14_2_00007FF848AA4EAF
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF848AA227Bh	14_2_00007FF848AA225D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF848ABB972h	14_2_00007FF848ABB620
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF848AABDE2h	25_2_00007FF848AABB8E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF848A94ECBh	25_2_00007FF848A94B1D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF848A94ECBh	25_2_00007FF848A94DC8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF848A91FFFh	25_2_00007FF848A91EB6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF848CB2F30h	25_2_00007FF848CB2C89
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then dec eax	25_2_00007FF848CB1FD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then dec eax	25_2_00007FF848CB1FA1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF848CB48A9h	25_2_00007FF848CB47A4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF848A91873h	25_2_00007FF848A90C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF848A91A44h	25_2_00007FF848A90C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF848A91FFFh	25_2_00007FF848A90C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FF848A9227Bh	25_2_00007FF848A90C58

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 40.119.152.241 443

Yara detected Generic Downloader

Source: Yara match	File source: 19.0.AgentPackageAgentInformation.exe.267ba2b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.2.AgentPackageTicketing.exe.23d46870000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll, type: DROPPED

Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543756000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.AVAILABILITY/0.16/AGENT.PACKAGE.AVAILABILITY.Z
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E543756000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.WATCHDOG/1.5/AGENT.PACKAGE.WATCHDOG.ZIP
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543640000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEADREMOTE/6.0/AGENTPACKAGEADREMOTE.ZIP
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB926000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEAGENTINFORMATION/37.2/AGENTPACKAGEAGENTINFORMATI
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEHEARTBEAT/17.14/AGENTPACKAGEHEARTBEAT.ZIP
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMARKETPLACE/1.4/AGENTPACKAGEMARKETPLACE.ZIP
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC62000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/36.9/AGENTPACKAGEMONITORING.ZIP
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E542D6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEOSUPDATES/19.2/AGENTPACKAGEOSUPDATES.ZIP
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E542D6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEPROGRAMMANAGEMENT/23.0/AGENTPACKAGEPROGRAMMANAGE
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543640000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLE
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESYSTEMTOOLS/26.6/AGENTPACKAGESYSTEMTOOLS.ZIP
Source: AgentPackageSTRemote.exe, 00000029.00000002.3285991937.000002695D8D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a6dc35606b2c6816e.awsglobalaccelerator.com
Source: AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF44A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://acedicom.edicomgroup.com/doc0
Source: AteraAgent.exe, 0000000D.00000000.2098028173.000001E2AA112000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB791000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acontrol.atera.com/
Source: rundll32.exe, 00000005.00000002.2078628555.0000000004D75000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBB33000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBBBD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA4E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC62000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC4B000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2200238195.0000000004495000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2248887172.00000267BAC7F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2260910212.0000024E0012F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A56000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A2A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3183499015.000001630A2F9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3183499015.000001630A25A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3183499015.000001630A1C0000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2362218873.0000026E27251000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000029.00000002.3285991937.000002695D7F7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000032.00000002.2753876487.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000034.00000002.2734005619.000001F43338C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://agent-api.atera.com
Source: rundll32.exe, 00000005.00000002.2078628555.0000000004D75000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBB33000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBBBD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA4E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC62000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC4B000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2200238195.0000000004495000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2248887172.00000267BAC7F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2260910212.0000024E0012F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A56000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3183499015.000001630A2F9000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3183499015.000001630A25A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3183499015.000001630A1C0000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2362218873.0000026E27251000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000029.00000002.3285991937.000002695D7F7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000032.00000002.2753876487.00000000046D5000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000034.00000002.2734005619.000001F43338C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://atera-agent-api-eu.westeurope.cloudapp.azure.com
Source: AgentPackageHeartbeat.exe, 0000003C.00000002.2818917909.0000019246BCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://atera-agent-heartbeat.servicebus.windows.net
Source: AgentPackageUpgradeAgent.exe, 00000027.00000002.2948323551.000001E45CC7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://blob.ams08prdstr06a.store.core.windows.net
Source: AteraAgent.exe, 0000000E.00000002.2556640926.000001CFDAFA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004DB7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF43E8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF4448000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2584991032.000001CFF3FAC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBDC7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3035623763.000001E55B400000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54392A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54317E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3045083540.000001E55B900000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A2A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3045083540.000001E55B8E4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543577000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3045083540.000001E55B8C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A80000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004DB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004DB7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBEC4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA56000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBB33000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBBBD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF4448000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC4B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A79000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543606000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543978000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543549000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E5431FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
Source: AteraAgent.exe, 0000000D.00000002.2154536366.000001E2C4998000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C46A0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2154536366.000001E2C4950000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2153248860.000001E2ABE09000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF43E8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2584991032.000001CFF3F74000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF4448000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBDC7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2584991032.000001CFF404E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3035623763.000001E55B400000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E5435FF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54392A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54317E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A2A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3045083540.000001E55B8E4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543577000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3035623763.000001E55B458000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E5431FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF4448000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt7
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C46A0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF4448000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBDC7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF447F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54392A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54317E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3045083540.000001E55B8DB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A2A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543577000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A80000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000027.00000002.2948323551.000001E45CC9F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000027.00000002.2948323551.000001E45CCA3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000029.00000002.3285991937.000002695D92C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000029.00000002.3285991937.000002695D930000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: AteraAgent.exe, 0000000E.00000002.2584991032.000001CFF402C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF43E8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF4448000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2584991032.000001CFF3FAC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBDC7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF447F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2556640926.000001CFDAFA5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2249904323.00000267D3480000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2249904323.00000267D34FF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2266724520.0000024E7D120000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2266724520.0000024E7D1C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54392A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54317E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A2A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543577000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3045083540.000001E55B985000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: AteraAgent.exe, 0000000E.00000002.2584991032.000001CFF402C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt_
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004DB7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004DB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: AteraAgent.exe, 0000000E.00000002.2584991032.000001CFF3F74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: AteraAgent.exe, 0000000E.00000002.2584991032.000001CFF3F74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/SGCA.crl0
Source: stvideo.dll.2.dr, hidkmdf.sys.2.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C4768000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF43E8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF4448000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2584991032.000001CFF3FAC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBDC7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3035623763.000001E55B400000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54392A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54317E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3045083540.000001E55B900000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A2A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3045083540.000001E55B8E4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543577000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3045083540.000001E55B8C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A80000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004DB7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004DB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004DB7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: AgentPackageSTRemote.exe, 00000029.00000002.3285991937.000002695D930000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertT
Source: AgentPackageSTRemote.exe, 00000029.00000002.3285991937.000002695D92C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTe
Source: AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C46A0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C4779000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C4720000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF43E0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF4448000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF44A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF4448000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl)
Source: AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF4448000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl-
Source: AteraAgent.exe, 0000000D.00000002.2152585479.000001E2AA2A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl.
Source: AteraAgent.exe, 0000000D.00000002.2154536366.000001E2C4998000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C46A0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2154536366.000001E2C4950000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2153248860.000001E2ABE09000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF43E8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBEC4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA56000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBB33000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2584991032.000001CFF3F74000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBBBD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF4448000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC4B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBDC7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2584991032.000001CFF404E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3035623763.000001E55B400000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A79000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E5435FF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54392A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54317E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C46A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl4
Source: AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF43E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl6(
Source: AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C46A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl6f
Source: AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF4448000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl=
Source: AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF43E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlN(
Source: AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF43E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlb)
Source: AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF43E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlhttp://crl4.digicert.co
Source: AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF4448000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlk
Source: AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF4448000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlq
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C46A0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF4448000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBDC7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF447F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54392A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54317E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3045083540.000001E55B8DB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A2A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543577000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A80000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000027.00000002.2948323551.000001E45CC9F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000027.00000002.2948323551.000001E45CCA3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000029.00000002.3285991937.000002695D92C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000029.00000002.3285991937.000002695D930000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C46A0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C4768000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF4448000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: Newtonsoft.Json.dll6.25.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C46A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlL
Source: AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C4752000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlS
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004DB7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004DB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004DB7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C4768000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/tP
Source: AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C4779000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl=
Source: AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C4779000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedRootG4.crllorer
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004DB7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C4779000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C4720000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBEC4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF43E0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA56000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBB33000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBBBD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF4448000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC4B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF44A5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A79000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543606000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543978000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543549000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E5431FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: AteraAgent.exe, 0000000D.00000002.2154536366.000001E2C4998000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C46A0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2154536366.000001E2C4950000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2153248860.000001E2ABE09000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF43E8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2584991032.000001CFF3F74000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF4448000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBDC7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2584991032.000001CFF404E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3035623763.000001E55B400000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E5435FF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54392A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54317E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A2A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3045083540.000001E55B8E4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543577000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3035623763.000001E55B458000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E5431FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF44A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlHc
Source: AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C4779000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlz
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004DB7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004DB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C4768000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/l
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004DB7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C4779000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlh
Source: AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF447F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en
Source: AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF43E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabx6
Source: AgentPackageSTRemote.exe, 00000029.00000002.3285991937.000002695D930000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://d17kmd0va0f0mp.cloudfront.net
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC62000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543919000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A2A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54354F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543638000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://d25btwd9wax8gu.cloudfront.net
Source: AgentPackageAgentInformation.exe, 00000013.00000000.2229421092.00000267BA2B2000.00000002.00000001.01000000.00000016.sdmp	String found in binary or memory: http://dl.google.com/googletalk/googletalk-setup.exe
Source: AgentPackageSTRemote.exe, 00000029.00000002.3285991937.000002695D930000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.splashtop.com
Source: AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF458A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF458A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: Newtonsoft.Json.dll6.25.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: rundll32.exe, 00000005.00000002.2079122206.0000000007470000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://microsoft.co
Source: rundll32.exe, 00000006.00000002.2086390865.0000000000DEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://msdn.m
Source: AgentPackageSTRemote.exe, 00000029.00000002.3285991937.000002695D8D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://my.splashtop.com
Source: AgentPackageMonitoring.exe, 00000021.00000002.2367814782.0000026E3F5D2000.00000002.00000001.01000000.00000021.sdmp	String found in binary or memory: http://nlog-project.org/dummynamespace/
Source: AgentPackageMonitoring.exe, 00000021.00000002.2367814782.0000026E3F5D2000.00000002.00000001.01000000.00000021.sdmp	String found in binary or memory: http://nlog-project.org/ws/
Source: AgentPackageMonitoring.exe, 00000021.00000002.2367814782.0000026E3F5D2000.00000002.00000001.01000000.00000021.sdmp	String found in binary or memory: http://nlog-project.org/ws/3
Source: AgentPackageMonitoring.exe, 00000021.00000002.2367814782.0000026E3F5D2000.00000002.00000001.01000000.00000021.sdmp	String found in binary or memory: http://nlog-project.org/ws/5
Source: AgentPackageMonitoring.exe, 00000021.00000002.2367814782.0000026E3F5D2000.00000002.00000001.01000000.00000021.sdmp	String found in binary or memory: http://nlog-project.org/ws/ILogReceiverOneWayServer/ProcessLogMessages
Source: AgentPackageMonitoring.exe, 00000021.00000002.2367814782.0000026E3F5D2000.00000002.00000001.01000000.00000021.sdmp	String found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesResponsep
Source: AgentPackageMonitoring.exe, 00000021.00000002.2367814782.0000026E3F5D2000.00000002.00000001.01000000.00000021.sdmp	String found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT
Source: AgentPackageMonitoring.exe, 00000021.00000002.2367814782.0000026E3F5D2000.00000002.00000001.01000000.00000021.sdmp	String found in binary or memory: http://nlog-project.org/ws/T
Source: AgentPackageHeartbeat.exe, 0000003C.00000002.2818917909.0000019246BCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ns-prod-am3-az501.westeurope.cloudapp.azure.com
Source: powershell.exe, 00000025.00000002.2717163049.00000206770FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2615805731.0000020668A58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2997229161.0000028690072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2997229161.00000286901B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E543577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digice
Source: AteraAgent.exe, 0000000E.00000002.2584991032.000001CFF402C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF457D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C46A0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C4720000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2584991032.000001CFF3FAC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2556640926.000001CFDAFA5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
Source: AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C46A0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2584991032.000001CFF3F74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
Source: AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C4768000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/l4
Source: AteraAgent.exe, 0000000D.00000002.2154536366.000001E2C4998000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C46A0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2154536366.000001E2C4950000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2153248860.000001E2ABE09000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF43E8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBEC4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA56000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBB33000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2584991032.000001CFF3F74000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBBBD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF4448000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC4B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBDC7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2584991032.000001CFF404E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3035623763.000001E55B400000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A79000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E5435FF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54392A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54317E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF43E8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF4448000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2584991032.000001CFF3FAC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBDC7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF447F000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2556640926.000001CFDAFA5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2249904323.00000267D3480000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2249904323.00000267D34FF000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2266724520.0000024E7D120000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2266724520.0000024E7D1C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54392A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54317E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A2A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543577000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3045083540.000001E55B985000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF43E8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF4448000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2584991032.000001CFF3FAC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBDC7000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3035623763.000001E55B400000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54392A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54317E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3045083540.000001E55B900000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A2A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3045083540.000001E55B8E4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543577000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3045083540.000001E55B8C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A80000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004DB7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi	String found in binary or memory: http://ocsp.digicert.com0K
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004DB7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi	String found in binary or memory: http://ocsp.digicert.com0N
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004DB7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi	String found in binary or memory: http://ocsp.digicert.com0O
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C46A0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF4448000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBDC7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF447F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54392A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54317E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3045083540.000001E55B8DB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A2A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543577000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A80000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000027.00000002.2948323551.000001E45CC9F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000027.00000002.2948323551.000001E45CCA3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000029.00000002.3285991937.000002695D92C000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000029.00000002.3285991937.000002695D930000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF4448000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRS
Source: AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C4720000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF
Source: AteraAgent.exe, 0000000E.00000002.2584991032.000001CFF402C000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF4448000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com;
Source: AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF457D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comBJM
Source: AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF457D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com_IX
Source: AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C46A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF43E8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3045083540.000001E55B885000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
Source: AteraAgent.exe, 00000019.00000002.3035623763.000001E55B458000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: AteraAgent.exe, 0000000E.00000002.2584991032.000001CFF3FAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl=
Source: AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF43E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crlv
Source: AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF457D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comxJ
Source: stvideo.dll.2.dr, hidkmdf.sys.2.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: AgentPackageUpgradeAgent.exe, 00000027.00000002.2948323551.000001E45CC7C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://packagesstore.blob.core.windows.net
Source: powershell.exe, 00000036.00000002.2718929915.0000028680233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC62000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54363D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54392A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543919000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A2A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543577000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54354F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543638000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ps.atera.com
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC58000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBB33000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBBBD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ps.pndsn.com
Source: AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF44A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: stvideo.dll.2.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: stvideo.dll.2.dr	String found in binary or memory: http://s2.symcb.com0
Source: AteraAgent.exe, 0000000D.00000002.2153248860.000001E2ABE09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org
Source: AteraAgent.exe, 0000000D.00000002.2153248860.000001E2ABE09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: AteraAgent.exe, 0000000D.00000002.2153248860.000001E2ABE09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
Source: powershell.exe, 00000025.00000002.2744107513.000002067F566000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.microsoft.co_
Source: powershell.exe, 00000025.00000002.2615805731.00000206679C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2615805731.00000206672B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: AgentPackageMonitoring.exe, 00000021.00000002.2367814782.0000026E3F5D2000.00000002.00000001.01000000.00000021.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: rundll32.exe, 00000005.00000002.2078628555.0000000004CB1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2078628555.0000000004D54000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB791000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2200238195.0000000004477000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2200238195.00000000043D1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2248887172.00000267BABD3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2260910212.0000024E000BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542C31000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3183499015.000001630A289000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3183499015.000001630A041000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2362218873.0000026E26DCD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2615805731.0000020667091000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000027.00000002.2948323551.000001E45CB41000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000029.00000002.3285991937.000002695D788000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 0000002D.00000002.3288600100.0000023D46B31000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000032.00000002.2753876487.0000000004611000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000032.00000002.2753876487.00000000046B4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000034.00000002.2734005619.000001F433280000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2718929915.0000028680001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageHeartbeat.exe, 0000003C.00000002.2818917909.0000019246AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000025.00000002.2615805731.00000206679C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2615805731.00000206672B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/
Source: stvideo.dll.2.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: stvideo.dll.2.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: stvideo.dll.2.dr	String found in binary or memory: http://sv.symcd.com0&
Source: stvideo.dll.2.dr, hidkmdf.sys.2.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: stvideo.dll.2.dr, hidkmdf.sys.2.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: stvideo.dll.2.dr, hidkmdf.sys.2.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004DB7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi	String found in binary or memory: http://wixtoolset.org
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.000000000498B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004AD5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004328000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000462B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004D86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.000000000498B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004AD5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004328000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000462B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004D86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/news/
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.000000000498B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004AD5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004328000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000462B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004D86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/releases/
Source: AgentPackageMonitoring.exe, 00000021.00000002.2361215633.0000026E26AF2000.00000002.00000001.01000000.0000001E.sdmp	String found in binary or memory: http://www.abit.com.tw/
Source: powershell.exe, 00000036.00000002.2718929915.0000028680233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF458A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.comsign.co.il/cps0
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBEC4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA56000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBB33000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBBBD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC4B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A79000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543606000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543978000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543549000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E5431FC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2154536366.000001E2C4998000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C46A0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2154536366.000001E2C4950000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2153248860.000001E2ABE09000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF43E8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2584991032.000001CFF3F74000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF4448000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBDC7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2584991032.000001CFF404E000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3035623763.000001E55B400000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E5435FF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54392A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54317E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A2A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3045083540.000001E55B8E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: AteraAgent.exe, 0000000E.00000002.2584991032.000001CFF3FAC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.e-trust.be/CPS/QNcerts
Source: AteraAgent.exe, 0000000E.00000002.2593246742.000001CFF45DE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: 5a26dd.rbs.2.dr	String found in binary or memory: http://www.splashtop.com/remote
Source: stvideo.dll.2.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: stvideo.dll.2.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: AteraAgent.exe, 0000000D.00000002.2153248860.000001E2ABE09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: AteraAgent.exe, 0000000D.00000002.2153248860.000001E2ABE09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.oh
Source: AgentPackageHeartbeat.exe, 0000003C.00000000.2765480855.0000019246092000.00000002.00000001.01000000.0000003F.sdmp	String found in binary or memory: https://1.servicebus.windows.net/
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E543A2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.P0
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3183499015.000001630A289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.PJ
Source: rundll32.exe, 00000005.00000002.2078628555.0000000004D54000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2200238195.0000000004477000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000032.00000002.2753876487.00000000046B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.aterD
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2078628555.0000000004CB1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2078628555.0000000004D54000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.000000000498B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004AD5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB791000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBB33000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBBBD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA4E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC62000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC4B000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2200238195.0000000004477000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2200238195.00000000043D1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004328000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2248887172.00000267BABD3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2260910212.0000024E000BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A2A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3183499015.000001630A25A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3183499015.000001630A289000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3183499015.000001630A0DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2078628555.0000000004CB1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2078628555.0000000004D54000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.000000000498B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004AD5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2200238195.0000000004477000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2200238195.00000000043D1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004328000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000462B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000002.2753876487.0000000004611000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000002.2753876487.00000000046B4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004D86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E542C31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Productio
Source: AgentPackageAgentInformation.exe, 00000013.00000002.2248887172.00000267BABD3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2260910212.0000024E000BF000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3183499015.000001630A0DE000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3183499015.000001630A1C0000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000029.00000002.3285991937.000002695D788000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2078628555.0000000004CB1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2078628555.0000000004D54000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.000000000498B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004AD5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBB33000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBBBD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC62000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC4B000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2200238195.0000000004477000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2200238195.00000000043D1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004328000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000462B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000002.2753876487.0000000004611000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000002.2753876487.00000000046B4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004D86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommands
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA4E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB840000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting
Source: AgentPackageAgentInformation.exe, 00000013.00000002.2248887172.00000267BABD3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2260910212.0000024E000BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResult
Source: AgentPackageTicketing.exe, 0000002D.00000002.3273707942.0000023D4610F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageTicketing.exe, 0000002D.00000002.3288600100.0000023D46B31000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResultRecurring/AgentPackageTicketingInstallHelp
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB89E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB89E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB840000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB814000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsern
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB791000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetEnvironmentStatus
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB791000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages
Source: AgentPackageSTRemote.exe, 00000029.00000002.3285991937.000002695D788000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRemoteToolStatusWithAccount
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E543A2A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/Trace
Source: AgentPackageInternalPoller.exe, 00000034.00000002.2734005619.000001F433280000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/agentMonitoredDevices/f59f3442-6117-4640-8aae-6ef22eb1a
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3183499015.000001630A289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3183499015.000001630A289000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/script-based
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3183499015.000001630A041000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/script-basedPkj
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3183499015.000001630A0DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/guiCommandResult
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3183499015.000001630A25A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3183499015.000001630A1C0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/recurringCommandResult
Source: AgentPackageMonitoring.exe, 00000021.00000002.2362218873.0000026E26DCD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/thresholds/f59f3442-6117-4640-8aae-6ef22eb1ae8f
Source: rundll32.exe, 00000005.00000002.2078628555.0000000004CB1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2078628555.0000000004D54000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2200238195.0000000004477000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2200238195.00000000043D1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000032.00000002.2753876487.0000000004611000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000032.00000002.2753876487.00000000046B4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event
Source: rundll32.exe, 00000005.00000002.2078628555.0000000004D96000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2200238195.00000000044B6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event;
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3183499015.000001630A25A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/ProductionPkj
Source: Agent.Package.Watchdog.exe, 00000038.00000000.2704651850.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 00000038.00000002.2714164300.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 0000003F.00000000.2776315978.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 0000003F.00000002.2779712552.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: Agent.Package.Watchdog.exe, 00000038.00000000.2704651850.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 00000038.00000002.2714164300.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 0000003F.00000000.2776315978.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 0000003F.00000002.2779712552.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?You
Source: Agent.Package.Watchdog.exe, 0000003F.00000002.2778689991.0000027604788000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win10-x64&apphost_version=6.0
Source: Agent.Package.Watchdog.exe, 00000038.00000002.2709175078.000001E861C9C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rih
Source: Agent.Package.Watchdog.exe, 00000038.00000002.2709175078.000001E861C9C000.00000004.00000020.00020000.00000000.sdmp, Agent.Package.Watchdog.exe, 00000038.00000000.2704651850.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 00000038.00000002.2714164300.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 0000003F.00000000.2776315978.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 0000003F.00000002.2779712552.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 0000003F.00000002.2778689991.0000027604788000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: Agent.Package.Watchdog.exe, 00000038.00000000.2704651850.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 00000038.00000002.2714164300.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 0000003F.00000000.2776315978.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 0000003F.00000002.2779712552.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed&gui=trueShowing
Source: powershell.exe, 00000025.00000002.2615805731.0000020667091000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2718929915.0000028680001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore68
Source: powershell.exe, 00000025.00000002.2615805731.00000206672B8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelp
Source: powershell.exe, 00000025.00000002.2615805731.00000206686C8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/winsvr-2022-pshelpX
Source: AgentPackageTicketing.exe, 0000002D.00000002.3288600100.0000023D46BAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.nuget.org
Source: AgentPackageTicketing.exe, 0000002D.00000002.3285143958.0000023D46872000.00000002.00000001.01000000.00000049.sdmp, AgentPackageTicketing.exe, 0000002D.00000002.3288600100.0000023D46BAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.nuget.org/v3-flatcontainer/eo.webbrowser/22.1.42/eo.webbrowser.22.1.42.nupkg
Source: AgentPackageHeartbeat.exe, 0000003C.00000002.2818917909.0000019246AB1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageHeartbeat.exe, 0000003C.00000002.2818917909.0000019246BBE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://atera-agent-heartbeat.servicebus.windows.net
Source: AgentPackageHeartbeat.exe, 0000003C.00000002.2818917909.0000019246AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://atera-agent-heartbeat.servicebus.windows.net/
Source: AgentPackageHeartbeat.exe, 0000003C.00000002.2818917909.0000019246AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://atera-agent-heartbeat.servicebus.windows.net/agentheartbeat/messages
Source: powershell.exe, 00000036.00000002.2997229161.00000286901B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000036.00000002.2997229161.00000286901B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000036.00000002.2997229161.00000286901B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: stvideo.dll.2.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: stvideo.dll.2.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Microsoft.ApplicationInsights.dll.14.dr	String found in binary or memory: https://dc.services.visualstudio.com/api/profiles/
Source: Microsoft.ApplicationInsights.dll.14.dr	String found in binary or memory: https://dc.services.visualstudio.com/v2/trackOStartRunnerEvent
Source: Microsoft.ApplicationInsights.dll.14.dr	String found in binary or memory: https://dc.services.visualstudio.com/v2/trackvhttps://dc.services.visualstudio.com/api/profiles/
Source: AgentPackageSTRemote.exe, 00000029.00000002.3285991937.000002695D930000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.splashtop.com
Source: AgentPackageSTRemote.exe, 00000029.00000002.3285991937.000002695D7F7000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000029.00000002.3285991937.000002695D930000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000029.00000002.3285991937.000002695D816000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.splashtop.com/csrs/Splashtop_Streamer_Win_DEPLOY_INSTALLER_v3.7.0.1.exe
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA10000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2249659287.00000267D33D2000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A2A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2368580202.0000026E3F6B2000.00000002.00000001.01000000.00000022.sdmp, AgentPackageUpgradeAgent.exe, 0000002B.00000002.2643531899.000002E01B6D0000.00000002.00000001.01000000.0000002C.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004DB7000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll6.25.dr	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: powershell.exe, 00000036.00000002.2718929915.0000028680233000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E543577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E543577000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
Source: Microsoft.Extensions.Configuration.EnvironmentVariables.dll.25.dr, Microsoft.Extensions.Hosting.dll.25.dr	String found in binary or memory: https://github.com/dotnet/runtime
Source: Microsoft.Extensions.Hosting.dll.25.dr	String found in binary or memory: https://github.com/dotnet/runtimeu
Source: AteraAgent.exe, 0000000E.00000002.2593774093.000001CFF4802000.00000002.00000001.01000000.00000026.sdmp	String found in binary or memory: https://github.com/icsharpcode/SharpZipLib
Source: AgentPackageInternalPoller.exe, 00000034.00000002.2771383497.000001F44BDC2000.00000002.00000001.01000000.00000040.sdmp	String found in binary or memory: https://github.com/lextudio/sharpsnmplib.git
Source: Microsoft.Extensions.Hosting.dll.25.dr	String found in binary or memory: https://github.com/mono/linker/issues/1416.
Source: powershell.exe, 00000025.00000002.2615805731.00000206686C8000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2718929915.0000028680C33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 00000036.00000002.3056780030.00000286F170A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://go.microsoft.c
Source: AgentPackageSTRemote.exe, 00000029.00000002.3285991937.000002695D840000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://my.splashtop.com
Source: AgentPackageSTRemote.exe, 00000029.00000000.2612366668.000002695CE12000.00000002.00000001.01000000.00000029.sdmp	String found in binary or memory: https://my.splashtop.com/csrs/win
Source: AgentPackageMonitoring.exe, 00000021.00000002.2367814782.0000026E3F5D2000.00000002.00000001.01000000.00000021.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2368505293.0000026E3F6A8000.00000002.00000001.01000000.00000021.sdmp	String found in binary or memory: https://nlog-project.org/
Source: powershell.exe, 00000025.00000002.2717163049.00000206770FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2615805731.0000020668A58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2997229161.0000028690072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2997229161.00000286901B5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe
Source: AgentPackageUpgradeAgent.exe, 00000027.00000002.2948323551.000001E45CB41000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000027.00000002.2948323551.000001E45CC76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://packagesstore.blob.core.windows.net
Source: AgentPackageUpgradeAgent.exe, 00000027.00000000.2594468379.000001E45C232000.00000002.00000001.01000000.00000027.sdmp	String found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Agents/Mac/
Source: AgentPackageMonitoring.exe, 00000021.00000000.2322894948.0000026E261F2000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://packagesstore.blob.core.windows.net/installers/BitDefender/rmm.zip
Source: AgentPackageUpgradeAgent.exe, 00000027.00000002.2948323551.000001E45CB41000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000027.00000000.2594468379.000001E45C232000.00000002.00000001.01000000.00000027.sdmp	String found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric
Source: AgentPackageUpgradeAgent.exe, 00000027.00000002.2948323551.000001E45CB41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric/MSI/1.8.7.2/Setupx64.msi
Source: AgentPackageUpgradeAgent.exe, 00000027.00000000.2594468379.000001E45C232000.00000002.00000001.01000000.00000027.sdmp	String found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric/MacAgent/1.0/AteraAgentInstaller.pkgA/
Source: AgentPackageUpgradeAgent.exe, 00000027.00000000.2594468379.000001E45C232000.00000002.00000001.01000000.00000027.sdmp	String found in binary or memory: https://packagesstore.blob.core.windows.net/installers/Fabric5Get
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E543919000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543577000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E54354F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543756000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543640000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543638000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.ateH
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E543919000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.ateH:
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E543928000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.ateHB
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E543638000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.ateHj
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC62000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543928000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D18000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543919000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543756000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543640000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/a
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/ag
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBAF4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageA
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB89E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAg
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAge
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC0C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAgen
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBB78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAgentIn
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.39/AgentPackageMonitoring.z
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB80C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB80C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB80C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB7E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBB78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/37.2/AgentPackageAgentInformation
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/36.9/AgentPackageMonitoring.ziph
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB80C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscovery
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB80C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB7E8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB80C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB7E8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB7E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageWindowsUpdate/24.6/A
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E543756000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availa
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E543756000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.z
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB89E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB80C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB7E8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E543756000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Wat
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB89E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB80C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E543756000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip?r3SRub
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E543640000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADR
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB89E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB7E8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E543640000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip?r3SRubncX5
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBB78000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/37.2/AgentPackageAgentInformati
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB89E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip?r3SRub
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB89E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.z
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB89E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.4/AgentPackageMarketplace.zip
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.4/AgentPackageMarketplace.zip?r3SR
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC62000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC62000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip?r3SRu
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.ziph
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB89E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB80C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscove
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB89E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/19.2/AgentPackageOsUpdates.zip
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/19.2/AgentPackageOsUpdates.zip?r3SRubn
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB89E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D18000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/23.0/AgentPackageProgramManage
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E543640000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInst
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E543640000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalle
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB89E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/21.7/AgentPackageSTRemote.zip
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB89E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/26.6/AgentPackageSystemTools.zip
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/26.6/AgentPackageSystemTools.zip?r3S
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB89E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB80C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB7E8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB89E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/27.7/AgentPackageTicketing.zip
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E542D6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/27.7/AgentPackageTicketing.zip?r3SRubn
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB89E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/26.8/AgentPackageUpgradeAgent.zip
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E542D18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/26.8/AgentPackageUpgradeAgent.zip?r
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB89E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB80C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zip
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB80C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zip
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB80C000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB7E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageADRemote/1.2/AgentPackageADRemote.zip
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBB78000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformation
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitoring.zip
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB80C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB7E8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB80C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB7E8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D00000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTaskScheduler/13.1/AgentPackageTaskScheduler.zip
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB7E8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageWindowsUpdate/18.3/AgentPackageWindowsUpdate.zip
Source: AgentPackageTicketing.exe, 0000002D.00000002.3285143958.0000023D46872000.00000002.00000001.01000000.00000049.sdmp	String found in binary or memory: https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.22.1.42.nupkg
Source: AgentPackageTicketing.exe, 0000002D.00000002.3288600100.0000023D46BAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.22.1.42.nupkgX
Source: AgentPackageSTRemote.exe, 00000029.00000002.3285991937.000002695D840000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000029.00000000.2612366668.000002695CE12000.00000002.00000001.01000000.00000029.sdmp	String found in binary or memory: https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exe
Source: AgentPackageSTRemote.exe, 00000029.00000000.2612366668.000002695CE12000.00000002.00000001.01000000.00000029.sdmp	String found in binary or memory: https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exepUsers/Shared/Splashtop
Source: AgentPackageTicketing.exe, 0000002D.00000002.3285143958.0000023D46872000.00000002.00000001.01000000.00000049.sdmp	String found in binary or memory: https://ps.atera.com/translations/TicketingTray.json
Source: AgentPackageTicketing.exe, 0000002D.00000002.3285143958.0000023D46872000.00000002.00000001.01000000.00000049.sdmp	String found in binary or memory: https://ps.atera.com/translations/TicketingTray.json?9translation
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB926000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.comX
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBBD4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC58000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBB33000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBBBD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBB46000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB89E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBBD4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC58000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBB33000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBBBD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBB46000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC62000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB840000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542CB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB89E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=06f39a1f-cbb5-41ee-81b8-00d884273d1c
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E542CB8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=18ce1a0b-80c3-45af-a62c-b980339710dd
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBBBD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7bc29546-b52f-485b-8762-cf4656a15e80
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC58000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=907b2fa1-39bf-44d6-a0bf-6b8493a99cb5
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB840000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=9b68fdf0-7e22-426f-b8aa-0f36f8e62ca5
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBB33000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b4d66385-ea77-44cf-9415-7e56999fc7a2
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB926000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=fd8a79b1-9558-4b58-9a18-66594e38e07e
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ff695f2d-ee1f-4beb-b15a-471c29244505
Source: AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/f59f3442
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBB78000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D18000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/f59f3442-6117-4640-8aae
Source: AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF44A5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: AgentPackageTicketing.exe, 0000002D.00000002.3285143958.0000023D46872000.00000002.00000001.01000000.00000049.sdmp	String found in binary or memory: https://setup-app-resolver.atera.com
Source: AgentPackageMonitoring.exe, 00000021.00000002.2369122956.0000026E3F772000.00000002.00000001.01000000.00000023.sdmp	String found in binary or memory: https://system.data.sqlite.org/
Source: AgentPackageMonitoring.exe, 00000021.00000002.2369410283.0000026E3F7D4000.00000002.00000001.01000000.00000023.sdmp	String found in binary or memory: https://system.data.sqlite.org/X
Source: AgentPackageMonitoring.exe, 00000021.00000002.2369122956.0000026E3F772000.00000002.00000001.01000000.00000023.sdmp	String found in binary or memory: https://urn.to/r/sds_see
Source: AgentPackageTicketing.exe, 0000002D.00000002.3285143958.0000023D46872000.00000002.00000001.01000000.00000049.sdmp	String found in binary or memory: https://westeurope-5.in.applicationinsights.azure.com/;LiveEndpoint=https://westeurope.livediagnosti
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004DB7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi	String found in binary or memory: https://www.digicert.com/CPS0
Source: AteraAgent.exe, 0000000E.00000002.2595880171.000001CFF4906000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.netlock.hu/docs/
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004DB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.newtonsoft.com/json
Source: Newtonsoft.Json.dll6.25.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: AgentPackageMonitoring.exe, 00000021.00000002.2367814782.0000026E3F5D2000.00000002.00000001.01000000.00000021.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2368505293.0000026E3F6A8000.00000002.00000001.01000000.00000021.sdmp	String found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore
Source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA10000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2249659287.00000267D33D2000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A2A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2368580202.0000026E3F6B2000.00000002.00000001.01000000.00000022.sdmp, AgentPackageUpgradeAgent.exe, 0000002B.00000002.2643531899.000002E01B6D0000.00000002.00000001.01000000.0000002C.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004DB7000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll6.25.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: AgentPackageMonitoring.exe	String found in binary or memory: https://www.sqlite.org/copyright.html
Source: AgentPackageMonitoring.exe, 00000021.00000002.2380051125.00007FF8A0404000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.dr	String found in binary or memory: https://www.sqlite.org/copyright.html2

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AteraAgent
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AteraAgent
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AlphaAgent
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AlphaAgent
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security

Reads the System eventlog

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AteraAgent
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AteraAgent
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System\AlphaAgent

System Summary

Malicious sample detected (through community Yara rule)

Source: Process Memory Space: powershell.exe PID: 2796, type: MEMORYSTR

Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sys

Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5a26cb.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2852.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2EAC.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3F86.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4330.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4341.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4390.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI446C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5a26cd.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5a26cd.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5DC1.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5a26ce.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2160.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI245F.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI48FF.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5880.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5881.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI59CB.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5B14.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7776.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7777.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7815.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7864.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5a26da.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5a26da.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7DE3.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5a26db.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC6C4.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC704.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{B7C5EA94-B96A-41F5-BE95-25D78B486678}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC80E.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID58C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID80E.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5a26de.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\5a26de.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIFEB2.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2852.tmp-	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2852.tmp-\AlphaControlAgentInstallation.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2852.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2852.tmp-\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2852.tmp-\System.Management.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2852.tmp-\CustomAction.config	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2EAC.tmp-	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2EAC.tmp-\AlphaControlAgentInstallation.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2EAC.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2EAC.tmp-\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2EAC.tmp-\System.Management.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2EAC.tmp-\CustomAction.config	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI3F86.tmp-	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI3F86.tmp-\AlphaControlAgentInstallation.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI3F86.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI3F86.tmp-\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI3F86.tmp-\System.Management.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI3F86.tmp-\CustomAction.config	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\InstallUtil.InstallLog
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA74182F76F15A9CF514DEF352303C95
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI5DC1.tmp-
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI5DC1.tmp-\AlphaControlAgentInstallation.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI5DC1.tmp-\Microsoft.Deployment.WindowsInstaller.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI5DC1.tmp-\Newtonsoft.Json.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI5DC1.tmp-\System.Management.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI5DC1.tmp-\CustomAction.config
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2160.tmp-
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2160.tmp-\AlphaControlAgentInstallation.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2160.tmp-\Microsoft.Deployment.WindowsInstaller.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2160.tmp-\Newtonsoft.Json.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2160.tmp-\System.Management.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2160.tmp-\CustomAction.config
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI245F.tmp-
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI245F.tmp-\AlphaControlAgentInstallation.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI245F.tmp-\Microsoft.Deployment.WindowsInstaller.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI245F.tmp-\Newtonsoft.Json.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI245F.tmp-\System.Management.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI245F.tmp-\CustomAction.config
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI48FF.tmp-
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI48FF.tmp-\AlphaControlAgentInstallation.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI48FF.tmp-\Microsoft.Deployment.WindowsInstaller.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI48FF.tmp-\Newtonsoft.Json.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI48FF.tmp-\System.Management.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI48FF.tmp-\CustomAction.config
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSystemTools.exe.log
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageHeartbeat.exe.log

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI2852.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_04BE7678	5_3_04BE7678
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_04BE0040	5_3_04BE0040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_3_06FC50B8	6_3_06FC50B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_3_06FC59A8	6_3_06FC59A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 6_3_06FC4D68	6_3_06FC4D68
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FF848A9C922	13_2_00007FF848A9C922
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FF848A9B679	13_2_00007FF848A9B679
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FF848A90C1D	13_2_00007FF848A90C1D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FF848A9BB76	13_2_00007FF848A9BB76
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FF848A9986D	13_2_00007FF848A9986D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF848ABC920	14_2_00007FF848ABC920
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF848AA0D42	14_2_00007FF848AA0D42
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF848AA9AF2	14_2_00007FF848AA9AF2
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF848AB1CE0	14_2_00007FF848AB1CE0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF848AB900E	14_2_00007FF848AB900E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF848CB2684	14_2_00007FF848CB2684
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF848CB4706	14_2_00007FF848CB4706
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_3_068F0040	17_3_068F0040
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 19_2_00007FF848A68602	19_2_00007FF848A68602
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 19_2_00007FF848A67856	19_2_00007FF848A67856
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 19_2_00007FF848A611CF	19_2_00007FF848A611CF
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 19_2_00007FF848A611FA	19_2_00007FF848A611FA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 19_2_00007FF848A6BCA8	19_2_00007FF848A6BCA8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 19_2_00007FF848A71030	19_2_00007FF848A71030
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 21_2_00007FF848AA03FD	21_2_00007FF848AA03FD
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 21_2_00007FF848A88602	21_2_00007FF848A88602
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 21_2_00007FF848A87856	21_2_00007FF848A87856
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 21_2_00007FF848A811CF	21_2_00007FF848A811CF
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 21_2_00007FF848A811FA	21_2_00007FF848A811FA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 21_2_00007FF848A8BCA8	21_2_00007FF848A8BCA8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 21_2_00007FF848A91030	21_2_00007FF848A91030
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 23_2_00007FF848A912FA	23_2_00007FF848A912FA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 25_2_00007FF848AB3CD0	25_2_00007FF848AB3CD0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 25_2_00007FF848AA1D8B	25_2_00007FF848AA1D8B
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 25_2_00007FF848AACD80	25_2_00007FF848AACD80
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 25_2_00007FF848AACEA0	25_2_00007FF848AACEA0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 25_2_00007FF848A99EDF	25_2_00007FF848A99EDF
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 25_2_00007FF848AB1FAD	25_2_00007FF848AB1FAD
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 25_2_00007FF848AACE30	25_2_00007FF848AACE30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 25_2_00007FF848AACE30	25_2_00007FF848AACE30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 25_2_00007FF848AAD3C8	25_2_00007FF848AAD3C8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 25_2_00007FF848AA9426	25_2_00007FF848AA9426
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 25_2_00007FF848CBA18D	25_2_00007FF848CBA18D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 25_2_00007FF848CC1B0D	25_2_00007FF848CC1B0D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 25_2_00007FF848CAADA1	25_2_00007FF848CAADA1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 25_2_00007FF848CA9EDD	25_2_00007FF848CA9EDD
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 25_2_00007FF848CB5020	25_2_00007FF848CB5020
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 25_2_00007FF848CB6160	25_2_00007FF848CB6160
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 25_2_00007FF848CBBAF1	25_2_00007FF848CBBAF1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 25_2_00007FF848CA948A	25_2_00007FF848CA948A
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 25_2_00007FF848CA6CA0	25_2_00007FF848CA6CA0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 25_2_00007FF848CB5FED	25_2_00007FF848CB5FED
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 25_2_00007FF848CB7F61	25_2_00007FF848CB7F61
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 25_2_00007FF848CB0E80	25_2_00007FF848CB0E80
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 25_2_00007FF848A90C58	25_2_00007FF848A90C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 28_2_00007FF848A9FA9F	28_2_00007FF848A9FA9F
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 28_2_00007FF848AAEC78	28_2_00007FF848AAEC78
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 28_2_00007FF848AA0D20	28_2_00007FF848AA0D20
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 28_2_00007FF848A8CCF9	28_2_00007FF848A8CCF9
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 28_2_00007FF848A84010	28_2_00007FF848A84010
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 28_2_00007FF848A812C0	28_2_00007FF848A812C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 28_2_00007FF848AA7218	28_2_00007FF848AA7218
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 28_2_00007FF848A8C36F	28_2_00007FF848A8C36F
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 28_2_00007FF848A89632	28_2_00007FF848A89632
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 28_2_00007FF848A88886	28_2_00007FF848A88886
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 28_2_00007FF848A98BCE	28_2_00007FF848A98BCE
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 28_2_00007FF848ABECB8	28_2_00007FF848ABECB8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 28_2_00007FF848A98C01	28_2_00007FF848A98C01
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 28_2_00007FF848A811FA	28_2_00007FF848A811FA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 28_2_00007FF848A80730	28_2_00007FF848A80730
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A03A01E0	33_2_00007FF8A03A01E0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0396960	33_2_00007FF8A0396960
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02EB880	33_2_00007FF8A02EB880
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A03920E0	33_2_00007FF8A03920E0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02EC110	33_2_00007FF8A02EC110
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A031C220	33_2_00007FF8A031C220
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02D2240	33_2_00007FF8A02D2240
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A03022B0	33_2_00007FF8A03022B0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A030A2F0	33_2_00007FF8A030A2F0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0280330	33_2_00007FF8A0280330
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0282310	33_2_00007FF8A0282310
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0328310	33_2_00007FF8A0328310
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02C64A0	33_2_00007FF8A02C64A0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02744DC	33_2_00007FF8A02744DC
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A026A524	33_2_00007FF8A026A524
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02B0510	33_2_00007FF8A02B0510
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02E4550	33_2_00007FF8A02E4550
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A031A5D0	33_2_00007FF8A031A5D0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A03805D0	33_2_00007FF8A03805D0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A031E590	33_2_00007FF8A031E590
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0346590	33_2_00007FF8A0346590
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02685D4	33_2_00007FF8A02685D4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A039E5B0	33_2_00007FF8A039E5B0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02E0600	33_2_00007FF8A02E0600
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A039C680	33_2_00007FF8A039C680
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A027E720	33_2_00007FF8A027E720
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0272738	33_2_00007FF8A0272738
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02FA7E0	33_2_00007FF8A02FA7E0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A026E80C	33_2_00007FF8A026E80C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0326860	33_2_00007FF8A0326860
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0278860	33_2_00007FF8A0278860
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02B88A0	33_2_00007FF8A02B88A0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02628C0	33_2_00007FF8A02628C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0356910	33_2_00007FF8A0356910
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02BE990	33_2_00007FF8A02BE990
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A032AA70	33_2_00007FF8A032AA70
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02A8A60	33_2_00007FF8A02A8A60
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0268A3C	33_2_00007FF8A0268A3C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0286A80	33_2_00007FF8A0286A80
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A034AB00	33_2_00007FF8A034AB00
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02DCB50	33_2_00007FF8A02DCB50
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02B8B90	33_2_00007FF8A02B8B90
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A030CC00	33_2_00007FF8A030CC00
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0394C80	33_2_00007FF8A0394C80
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02AACD0	33_2_00007FF8A02AACD0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0276CC0	33_2_00007FF8A0276CC0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02E6D20	33_2_00007FF8A02E6D20
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A039CD60	33_2_00007FF8A039CD60
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02D4D00	33_2_00007FF8A02D4D00
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0328D20	33_2_00007FF8A0328D20
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A03B0D30	33_2_00007FF8A03B0D30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0264DB4	33_2_00007FF8A0264DB4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02C0E30	33_2_00007FF8A02C0E30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A028CE70	33_2_00007FF8A028CE70
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A026CEA8	33_2_00007FF8A026CEA8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02AAFB0	33_2_00007FF8A02AAFB0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0272F8C	33_2_00007FF8A0272F8C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02FEFD0	33_2_00007FF8A02FEFD0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02A9020	33_2_00007FF8A02A9020
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A03950F0	33_2_00007FF8A03950F0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02F9170	33_2_00007FF8A02F9170
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02CF1B0	33_2_00007FF8A02CF1B0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02611B0	33_2_00007FF8A02611B0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02DF220	33_2_00007FF8A02DF220
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0373200	33_2_00007FF8A0373200
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A026D284	33_2_00007FF8A026D284
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02FB370	33_2_00007FF8A02FB370
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02FD350	33_2_00007FF8A02FD350
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A026F340	33_2_00007FF8A026F340
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A033F3E0	33_2_00007FF8A033F3E0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02893D0	33_2_00007FF8A02893D0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0263474	33_2_00007FF8A0263474
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02674B0	33_2_00007FF8A02674B0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A026955C	33_2_00007FF8A026955C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02AF630	33_2_00007FF8A02AF630
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A026D634	33_2_00007FF8A026D634
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02CB647	33_2_00007FF8A02CB647
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0275640	33_2_00007FF8A0275640
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A03556D0	33_2_00007FF8A03556D0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0301690	33_2_00007FF8A0301690
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02D36E0	33_2_00007FF8A02D36E0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0307720	33_2_00007FF8A0307720
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02AD770	33_2_00007FF8A02AD770
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02BF780	33_2_00007FF8A02BF780
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A03AF790	33_2_00007FF8A03AF790
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A03B1840	33_2_00007FF8A03B1840
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A027D830	33_2_00007FF8A027D830
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02C18DA	33_2_00007FF8A02C18DA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A028D910	33_2_00007FF8A028D910
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02CB9F0	33_2_00007FF8A02CB9F0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0317A60	33_2_00007FF8A0317A60
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0299A60	33_2_00007FF8A0299A60
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0303AF0	33_2_00007FF8A0303AF0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0295AD0	33_2_00007FF8A0295AD0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02C7B30	33_2_00007FF8A02C7B30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02A9BA0	33_2_00007FF8A02A9BA0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A034DB80	33_2_00007FF8A034DB80
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A028BBE0	33_2_00007FF8A028BBE0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A03A3C20	33_2_00007FF8A03A3C20
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A033DCC0	33_2_00007FF8A033DCC0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A034BCD0	33_2_00007FF8A034BCD0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02A9CF0	33_2_00007FF8A02A9CF0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0337D20	33_2_00007FF8A0337D20
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0293E10	33_2_00007FF8A0293E10
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02A7E70	33_2_00007FF8A02A7E70
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0275E50	33_2_00007FF8A0275E50
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02E3EB0	33_2_00007FF8A02E3EB0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0307EA0	33_2_00007FF8A0307EA0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02BFEF0	33_2_00007FF8A02BFEF0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02FFED0	33_2_00007FF8A02FFED0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0315EA0	33_2_00007FF8A0315EA0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0267EC0	33_2_00007FF8A0267EC0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0299F30	33_2_00007FF8A0299F30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A0277F30	33_2_00007FF8A0277F30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02F5F20	33_2_00007FF8A02F5F20
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A03040A0	33_2_00007FF8A03040A0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF8A02FA0C0	33_2_00007FF8A02FA0C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF848A8BD51	33_2_00007FF848A8BD51
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF848CA24E8	33_2_00007FF848CA24E8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF848DE5138	33_2_00007FF848DE5138
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF848DB0B88	33_2_00007FF848DB0B88
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF848DB34B1	33_2_00007FF848DB34B1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF848DB644D	33_2_00007FF848DB644D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF848DF4DA0	33_2_00007FF848DF4DA0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF848DB4557	33_2_00007FF848DB4557
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF848DB58E7	33_2_00007FF848DB58E7
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF848DB1037	33_2_00007FF848DB1037
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF848DB1069	33_2_00007FF848DB1069
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF848E74F88	33_2_00007FF848E74F88
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF848E7F378	33_2_00007FF848E7F378
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF848E70B77	33_2_00007FF848E70B77
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF848E7F458	33_2_00007FF848E7F458
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 33_2_00007FF848E832DC	33_2_00007FF848E832DC

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: String function: 00007FF8A03B1D30 appears 114 times
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: String function: 00007FF8A03B1B70 appears 102 times
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: String function: 00007FF8A03B06B0 appears 145 times

Source: SRServer.exe.2.dr

Static PE information: Resource name: RT_STRING type: VAX-order2 68k Blit mpx/mux executable

Source: stevt_srs_x86.dll.2.dr	Static PE information: No import functions for PE file found
Source: stevt_srs_x64.dll.2.dr	Static PE information: No import functions for PE file found

Source: SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi	Binary or memory string: OriginalFilenameAlphaControlAgentInstallation.dll\ vs SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi
Source: SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi	Binary or memory string: OriginalFilenameSfxCA.dll\ vs SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi
Source: SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi	Binary or memory string: OriginalFilenamewixca.dll\ vs SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi

Source: Process Memory Space: powershell.exe PID: 2796, type: MEMORYSTR

Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution

Source: SRSocketCtrl.dll.2.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9918444872214941
Source: SRVideoCtrl.dll.2.dr	Static PE information: Section: UPX1 ZLIB complexity 0.990966796875
Source: SRVideoCtrlEx.dll.2.dr	Static PE information: Section: UPX1 ZLIB complexity 0.9911151354825949

Source: classification engine

Classification label: mal100.troj.spyw.evad.winMSI@109/686@0/11

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\ATERA Networks

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7524:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7904:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7212:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1400:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5604:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7340:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:884:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1856:120:WilError_03
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	Mutant created: \BaseNamedObjects\Global\GenericDevicesFileLock
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7596:120:WilError_03
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7132:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8036:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:8132:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1272:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3936:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7204:120:WilError_03
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe	Mutant created: NULL
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	Mutant created: \BaseNamedObjects\Global\SNMPDevicesFileLock
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6412:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3136:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:4372:120:WilError_03
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	Mutant created: \BaseNamedObjects\Global\HttpDevicesFileLock
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6504:120:WilError_03
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	Mutant created: \BaseNamedObjects\Global\ServerDevicesFileLock

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DFBE13C9327F3F7CB6.TMP

Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AteraAgent.exe")
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

File read: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2852.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5908796 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId

Source: AgentPackageMonitoring.exe, 00000021.00000000.2322894948.0000026E261F2000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: SELECT Identifier, Severity, Timestamp FROM ThresholdDuration WHERE Identifier = @id;kDELETE FROM ThresholdDuration WHERE Identifier = @id;
Source: AgentPackageMonitoring.exe, 00000021.00000000.2322894948.0000026E261F2000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: INSERT INTO [AlertsSent] (Timestamp, Alerts) VALUES (@timestamp, @alerts);kExecuteScriptAsync SystemTools Start scriptGuid : {0}Wrunscriptguid {0} 10 W10= disableSendResultC{0} {1} {2} {3} or8ixLi90Mf "{4}"
Source: AgentPackageMonitoring.exe, 00000021.00000000.2322894948.0000026E261F2000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: INSERT INTO ThresholdDuration (Identifier,Severity,Timestamp) Values (@identifier, @severity, @timestamp) ON CONFLICT (Identifier) DO UPDATE SET Severity = excluded.Severity, Timestamp = excluded.Timestamp;
Source: AgentPackageMonitoring.exe, 00000021.00000002.2362218873.0000026E26DCD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);
Source: AgentPackageMonitoring.exe, 00000021.00000000.2322894948.0000026E261F2000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2362218873.0000026E26DCD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS StatisticsSendTime (Id INTEGER PRIMARY KEY,Timestamp BIGINT NOT NULL);
Source: AgentPackageMonitoring.exe, 00000021.00000000.2322894948.0000026E261F2000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: INSERT INTO Statistics(Name, Timestamp, Value) Values (@name, @timestamp, @value);%StatisticsSendTime
Source: AgentPackageMonitoring.exe, 00000021.00000002.2362218873.0000026E26DCD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);@
Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000021.00000002.2379577749.00007FF8A03BA000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: AgentPackageMonitoring.exe, 00000021.00000000.2322894948.0000026E261F2000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2362218873.0000026E26DCD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);
Source: AgentPackageMonitoring.exe, 00000021.00000002.2362218873.0000026E26DCD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);@
Source: AgentPackageMonitoring.exe, 00000021.00000000.2322894948.0000026E261F2000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2362218873.0000026E26DCD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS Stub (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL);
Source: AgentPackageMonitoring.exe, 00000021.00000002.2362218873.0000026E26DCD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);
Source: AgentPackageMonitoring.exe, 00000021.00000002.2362218873.0000026E26DCD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);@
Source: AgentPackageMonitoring.exe, 00000021.00000002.2379577749.00007FF8A03BA000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: AgentPackageMonitoring.exe, 00000021.00000002.2362218873.0000026E26DCD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL);
Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000021.00000002.2379577749.00007FF8A03BA000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000021.00000002.2379577749.00007FF8A03BA000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: AgentPackageMonitoring.exe, 00000021.00000000.2322894948.0000026E261F2000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: SELECT Timestamp FROM StatisticsSendTime ORDER BY Timestamp DESC LIMIT 1;
Source: AgentPackageMonitoring.exe, 00000021.00000000.2322894948.0000026E261F2000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);sSELECT MAX([Timestamp]) AS [TimeStamp] FROM [AlertsSent];
Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000021.00000002.2379577749.00007FF8A03BA000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: AgentPackageMonitoring.exe, 00000021.00000002.2362218873.0000026E26DCD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);@
Source: AgentPackageMonitoring.exe, 00000021.00000000.2322894948.0000026E261F2000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: SELECT [Id], [Alerts], [Timestamp] FROM [AlertsSent] ORDER BY [Timestamp] DESC LIMIT 1;
Source: AgentPackageMonitoring.exe, 00000021.00000000.2322894948.0000026E261F2000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);/DELETE FROM Statistics;eSELECT Id, Name, Timestamp, Value FROM Statistics;
Source: AgentPackageMonitoring.exe, 00000021.00000002.2362218873.0000026E26DCD000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2369527319.0000026E40415000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);
Source: AgentPackageMonitoring.exe, 00000021.00000000.2322894948.0000026E261F2000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2362218873.0000026E26DCD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);
Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000021.00000002.2379577749.00007FF8A03BA000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: AgentPackageMonitoring.exe, 00000021.00000002.2362218873.0000026E2727E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;
Source: AgentPackageMonitoring.exe, 00000021.00000002.2362218873.0000026E26DCD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL);
Source: AgentPackageMonitoring.exe, 00000021.00000002.2362218873.0000026E26DCD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL);
Source: AgentPackageMonitoring.exe, 00000021.00000002.2369527319.0000026E40415000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);MULL)'v
Source: AgentPackageMonitoring.exe, 00000021.00000002.2362218873.0000026E2727E000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;@
Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 00000021.00000002.2379577749.00007FF8A03BA000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: AgentPackageMonitoring.exe, 00000021.00000000.2322894948.0000026E261F2000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: select Name from Win32_PerfFormattedData_Tcpip_NetworkInterface!DataStatsEnabled9InboundBandwidthStatsEnabled;OutboundBandwidthStatsEnabled
Source: AgentPackageMonitoring.exe, 00000021.00000000.2322894948.0000026E261F2000.00000002.00000001.01000000.0000001A.sdmp	Binary or memory string: SELECT Id, IsActive, Timestamp, Name, Thresholds FROM ThresholdsProfiles ORDER BY Timestamp DESC LIMIT 1;

Source: SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi

Static file information: TRID: Microsoft Windows Installer (60509/1) 57.88%

Source: SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi

ReversingLabs: Detection: 21%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding FBC342A8ABDF04038F10EFC029C1656D
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2852.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5908796 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2EAC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5910218 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI3F86.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5914531 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B756259567EEAEDF13A18B94143184C3 E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="flaviolimapontescliente01@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000KZFzxIAH" /AgentId="f59f3442-6117-4640-8aae-6ef22eb1ae8f"
Source: unknown	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Windows\SysWOW64\net1.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI5DC1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5922250 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "f3f8c138-efff-44a7-8aff-78b661b79ea9" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "97d527e2-ace6-4af1-87ff-fd0bb84d12a8" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "93138382-7cb2-4c66-b5a0-34a2c11202fd" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "31b88dde-1623-4466-adb0-05f466efd2ea" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "15ce275a-be83-4afa-bdcf-3f7d4cc3415d" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-ExecutionPolicy Bypass -Scope CurrentUser
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "d993a967-e5b2-425f-a13a-df33fb52e8f5" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "4b2bcc99-0697-449c-87dd-e9f93a323079" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" schedulerrun
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "c5fd7c57-20f4-4d3e-91a5-de108e1018e5" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Process created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 44E5FE7B78B93D720BE1B364377A940C E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2160.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5972437 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI245F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5973109 41 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c powershell.exe -File "C:\Program Files (x86)\Microsoft Office\Office16\vNextDiag.ps1"
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "659c678a-03f4-46f8-a144-5552c5e31eca" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000KZFzxIAH
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -File "C:\Program Files (x86)\Microsoft Office\Office16\vNextDiag.ps1"
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "9714075a-7bec-49a9-9497-61d2edb1cb2b" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ==" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI48FF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5982484 46 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "6bd80e1c-f436-4cf9-8790-13938e064803" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "0dbdfe1d-c093-4c9b-82ad-6e5a3763b364" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "9714075a-7bec-49a9-9497-61d2edb1cb2b" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ==" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding FBC342A8ABDF04038F10EFC029C1656D	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B756259567EEAEDF13A18B94143184C3 E Global\MSI0000	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="flaviolimapontescliente01@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000KZFzxIAH" /AgentId="f59f3442-6117-4640-8aae-6ef22eb1ae8f"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 44E5FE7B78B93D720BE1B364377A940C E Global\MSI0000	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "15ce275a-be83-4afa-bdcf-3f7d4cc3415d" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000KZFzxIAH	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2852.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5908796 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2EAC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5910218 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI3F86.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5914531 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI5DC1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5922250 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "f3f8c138-efff-44a7-8aff-78b661b79ea9" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "97d527e2-ace6-4af1-87ff-fd0bb84d12a8" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "93138382-7cb2-4c66-b5a0-34a2c11202fd" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "31b88dde-1623-4466-adb0-05f466efd2ea" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "15ce275a-be83-4afa-bdcf-3f7d4cc3415d" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "d993a967-e5b2-425f-a13a-df33fb52e8f5" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "4b2bcc99-0697-449c-87dd-e9f93a323079" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "659c678a-03f4-46f8-a144-5552c5e31eca" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "9714075a-7bec-49a9-9497-61d2edb1cb2b" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ==" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "6bd80e1c-f436-4cf9-8790-13938e064803" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "0dbdfe1d-c093-4c9b-82ad-6e5a3763b364" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "9714075a-7bec-49a9-9497-61d2edb1cb2b" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ==" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-ExecutionPolicy Bypass -Scope CurrentUser
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c powershell.exe -File "C:\Program Files (x86)\Microsoft Office\Office16\vNextDiag.ps1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Process created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI2160.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5972437 37 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI245F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5973109 41 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI48FF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5982484 46 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -File "C:\Program Files (x86)\Microsoft Office\Office16\vNextDiag.ps1"

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: riched20.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: usp10.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msls31.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptnet.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: webio.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptnet.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: webio.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptnet.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wscapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: devobj.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: napinsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: pnrpnsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wshbth.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: nlaapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: cryptnet.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanagersvc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: licensemanager.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: clipc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\msiexec.exe

File written: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdsmpl.ini

Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe.config	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dll	Jump to behavior

Source: C:\Windows\System32\msiexec.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4}

Jump to behavior

Source: SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi

Static file information: File size 2994176 > 1048576

Source:	Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 00000021.00000002.2361978001.0000026E26C62000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: AgentPackageUpgradeAgent.exe, 00000027.00000002.3002981073.000001E47543B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000032.00000002.2748986402.0000000000B04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdb:g source: AgentPackageUpgradeAgent.exe, 00000027.00000002.3002981073.000001E47543B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.Hosting/Release/net6.0/Microsoft.Extensions.Hosting.pdb source: Microsoft.Extensions.Hosting.dll.25.dr
Source:	Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb l:l ,l_CorExeMainmscoree.dll source: AteraAgent.exe, 00000019.00000002.2852883567.000001E543A80000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 0000002D.00000000.2624826314.0000023D45F72000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000D.00000000.2098028173.000001E2AA112000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: mscorlib.pdbBu source: AgentPackageUpgradeAgent.exe, 00000027.00000002.3002981073.000001E4753F1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: rundll32.exe, 00000032.00000002.2757925943.000000000709D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000013.00000002.2248721633.00000267BAAC2000.00000002.00000001.01000000.00000018.sdmp, AgentPackageTicketing.exe, 0000002D.00000002.3285746888.0000023D46892000.00000002.00000001.01000000.0000004B.sdmp, AgentPackageSystemTools.exe, 0000003B.00000002.2787382050.000001BABC432000.00000002.00000001.01000000.00000041.sdmp, AgentPackageHeartbeat.exe, 0000003C.00000002.2811860268.0000019246402000.00000002.00000001.01000000.00000043.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb< source: AgentPackageAgentInformation.exe, 00000013.00000000.2229421092.00000267BA2B2000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000027.00000000.2594468379.000001E45C232000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: n\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000032.00000002.2748620083.0000000000877000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000032.00000002.2748986402.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ?(nC:\Windows\Installer\MSI245F.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000032.00000002.2748620083.0000000000877000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 00000021.00000002.2369122956.0000026E3F772000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 00000021.00000002.2367814782.0000026E3F5D2000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent\obj\Release\AgentPackageUpgradeAgent.pdbdeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000027.00000002.2932952613.000000C28C743000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 00000021.00000002.2360997395.0000026E26AA2000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\AlphaControlAgentInstallation.pdb) source: rundll32.exe, 00000032.00000002.2748986402.0000000000B04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdbSHA256G source: AgentPackageInternalPoller.exe, 00000034.00000002.2758826390.000001F44B9F2000.00000002.00000001.01000000.00000038.sdmp
Source:	Binary string: \??\C:\Windows\dll\mscorlib.pdbTy source: AgentPackageUpgradeAgent.exe, 00000027.00000002.3002981073.000001E47543B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Installer\MSI245F.tmp-\AlphaControlAgentInstallation.PDB source: rundll32.exe, 00000032.00000002.2748986402.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdbSHA256 source: AgentPackageInternalPoller.exe, 00000034.00000002.2771383497.000001F44BDC2000.00000002.00000001.01000000.00000040.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000004.00000003.2032629720.0000000004B02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.000000000498B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004AD5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004328000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000462B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004D86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbdq source: AgentPackageTicketing.exe, 0000002D.00000002.3285746888.0000023D46892000.00000002.00000001.01000000.0000004B.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: Agent.Package.Watchdog.exe, 00000038.00000000.2704651850.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 00000038.00000002.2714164300.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 0000003F.00000000.2776315978.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 0000003F.00000002.2779712552.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000D.00000000.2098028173.000001E2AA112000.00000002.00000001.01000000.0000000F.sdmp
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: AteraAgent.exe, 00000019.00000002.2852883567.000001E543577000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\533\obj\Microsoft.ApplicationInsights\Release\src\Microsoft.ApplicationInsights\net45\Microsoft.ApplicationInsights.pdb source: Microsoft.ApplicationInsights.dll.14.dr
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.Hosting/Release/net6.0/Microsoft.Extensions.Hosting.pdbSHA256-@ source: Microsoft.Extensions.Hosting.dll.25.dr
Source:	Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.pdb<\ source: AgentPackageUpgradeAgent.exe, 00000027.00000002.2932952613.000000C28C743000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\AlphaControlAgentInstallation.pdb="* source: rundll32.exe, 00000032.00000002.2748986402.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageInternalPoller\AgentPackageInternalPoller\obj\Release\AgentPackageInternalPoller.pdb source: AgentPackageInternalPoller.exe, 00000034.00000000.2688823349.000001F4328E2000.00000002.00000001.01000000.00000035.sdmp
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000E.00000002.2593774093.000001CFF4802000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000E.00000002.2593774093.000001CFF4802000.00000002.00000001.01000000.00000026.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2368580202.0000026E3F6B2000.00000002.00000001.01000000.00000022.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004DB7000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Installer\MSI245F.tmp-\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000032.00000002.2748986402.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 00000021.00000002.2367604505.0000026E3F542000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdb source: rundll32.exe, 00000032.00000002.2748986402.0000000000B04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 00000021.00000002.2367814782.0000026E3F5D2000.00000002.00000001.01000000.00000021.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 00000013.00000000.2229421092.00000267BA2B2000.00000002.00000001.01000000.00000016.sdmp
Source:	Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 00000021.00000002.2361978001.0000026E26C62000.00000002.00000001.01000000.0000001F.sdmp
Source:	Binary string: C:\Windows\AgentPackageUpgradeAgent.pdbpdbent.pdb(g6 source: AgentPackageUpgradeAgent.exe, 00000027.00000002.3002981073.000001E47543B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000004.00000003.2032629720.0000000004B02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.000000000498B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004AD5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004328000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000462B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000002.2748986402.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000002.2757925943.0000000007090000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004D86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: symbols\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000027.00000002.2932952613.000000C28C743000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.EnvironmentVariables/Release/net6.0/Microsoft.Extensions.Configuration.EnvironmentVariables.pdbSHA256 source: Microsoft.Extensions.Configuration.EnvironmentVariables.dll.25.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA10000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2249659287.00000267D33D2000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A2A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 0000002B.00000002.2643531899.000002E01B6D0000.00000002.00000001.01000000.0000002C.sdmp, Newtonsoft.Json.dll6.25.dr
Source:	Binary string: C:\Windows\System.pdbpdbtem.pdb source: rundll32.exe, 00000032.00000002.2748986402.0000000000B04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.EnvironmentVariables/Release/net6.0/Microsoft.Extensions.Configuration.EnvironmentVariables.pdb source: Microsoft.Extensions.Configuration.EnvironmentVariables.dll.25.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA10000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2249659287.00000267D33D2000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A2A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2368580202.0000026E3F6B2000.00000002.00000001.01000000.00000022.sdmp, AgentPackageUpgradeAgent.exe, 0000002B.00000002.2643531899.000002E01B6D0000.00000002.00000001.01000000.0000002C.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004DB7000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll6.25.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: AteraAgent.exe, 00000019.00000002.2852883567.000001E543577000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: AgentPackageUpgradeAgent.exe, 00000027.00000002.3010018700.000001E4754A2000.00000002.00000001.01000000.00000045.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: AgentPackageUpgradeAgent.exe, 00000027.00000002.3010018700.000001E4754A2000.00000002.00000001.01000000.00000045.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdbr source: AgentPackageMonitoring.exe, 00000021.00000000.2322894948.0000026E261F2000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AgentPackageMonitoring.exe, 00000021.00000000.2322894948.0000026E261F2000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 00000027.00000002.2932952613.000000C28C743000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\LiorKovarsky\Downloads\sharpsnmplib-11.3.0\sharpsnmplib-11.3.0\SharpSnmpLib\obj\Release\net45\win\SharpSnmpLib.pdb source: AgentPackageInternalPoller.exe, 00000034.00000002.2771383497.000001F44BDC2000.00000002.00000001.01000000.00000040.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi
Source:	Binary string: PC:\Windows\AgentPackageUpgradeAgent.pdbP source: AgentPackageUpgradeAgent.exe, 00000027.00000002.2932952613.000000C28C743000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb4X source: AgentPackageHeartbeat.exe, 0000003C.00000002.2811860268.0000019246402000.00000002.00000001.01000000.00000043.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageHeartbeat\AgentPackageHeartbeat\obj\Release\AgentPackageHeartbeat.pdb source: AgentPackageHeartbeat.exe, 0000003C.00000000.2765480855.0000019246092000.00000002.00000001.01000000.0000003F.sdmp
Source:	Binary string: em.pdb source: AteraAgent.exe, 00000019.00000002.3045083540.000001E55B8E4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: dows\dll\System.pdb source: rundll32.exe, 00000032.00000002.2748986402.0000000000B04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000004.00000003.2032629720.0000000004B02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.000000000498B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004AD5000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004328000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000462B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004D86000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 00000021.00000002.2360997395.0000026E26AA2000.00000002.00000001.01000000.0000001D.sdmp
Source:	Binary string: d:\svn\sr01\tim\dev\win32\stvideo\display\objfre_win7_x86\i386\stvideo.pdb source: stvideo.dll.2.dr
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000013.00000002.2248721633.00000267BAAC2000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: \??\C:\Windows\dll\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000032.00000002.2757925943.00000000070A8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: rundll32.exe, 00000032.00000002.2757925943.000000000709D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: devcon.pdb source: devcon64.exe0.2.dr
Source:	Binary string: pC:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 00000027.00000002.2932952613.000000C28C743000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDBM( source: AgentPackageUpgradeAgent.exe, 00000027.00000002.3002981073.000001E4753F1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\533\obj\Microsoft.ApplicationInsights\Release\src\Microsoft.ApplicationInsights\net45\Microsoft.ApplicationInsights.pdbCW source: Microsoft.ApplicationInsights.dll.14.dr
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: rundll32.exe, 00000032.00000002.2748986402.0000000000B04000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbcccGCTL source: Agent.Package.Watchdog.exe, 00000038.00000000.2704651850.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 00000038.00000002.2714164300.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 0000003F.00000000.2776315978.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 0000003F.00000002.2779712552.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp
Source:	Binary string: d:\str\dev\win32\sthid\hidmapper\objfre_win7_x86\i386\hidkmdf.pdb source: hidkmdf.sys.2.dr
Source:	Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 00000021.00000002.2379577749.00007FF8A03BA000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.dr
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000D.00000002.2153873788.000001E2C4522000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll0.2.dr
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: rundll32.exe, 00000032.00000002.2748986402.0000000000AA4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.PDB source: AgentPackageUpgradeAgent.exe, 00000027.00000002.2932952613.000000C28C743000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: d:\str\dev\win32\sthid\hidmapper\objfre_win7_x86\i386\hidkmdf.pdbN source: hidkmdf.sys.2.dr
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000D.00000002.2153873788.000001E2C4522000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll0.2.dr
Source:	Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 00000021.00000002.2369122956.0000026E3F772000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageTicketing\TicketingPackageExtensions\obj\Release\TicketingPackageExtensions.pdb source: AgentPackageTicketing.exe, 0000002D.00000002.3285143958.0000023D46872000.00000002.00000001.01000000.00000049.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi
Source:	Binary string: D:\a\1\s\Atera.AgentCommunication.Models\obj\Release\net45\Atera.AgentCommunication.Models.pdb source: AgentPackageInternalPoller.exe, 00000034.00000002.2758826390.000001F44B9F2000.00000002.00000001.01000000.00000038.sdmp
Source:	Binary string: \??\C:\Windows\exe\AgentPackageUpgradeAgent.pdb source: AgentPackageUpgradeAgent.exe, 00000027.00000002.3002981073.000001E47543B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageTicketing\AgentPackageTicketing\obj\Release\AgentPackageTicketing.pdb source: AteraAgent.exe, 00000019.00000002.2852883567.000001E543A80000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 0000002D.00000000.2624826314.0000023D45F72000.00000002.00000001.01000000.0000002A.sdmp

Data Obfuscation

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Anti Malware Scan Interface: FromBase64String($license)) | ConvertFrom-Json$licenseType = $decodedLicense.LicenseType$userId = $decodedLicense.Metadata.UserId$identitiesRegkey = Get-ItemProperty -Path "HKCU:\SOFTWARE\Micros

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Code function: 33_2_00007FF8A0271910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

33_2_00007FF8A0271910

Source: SRUsb.exe.2.dr	Static PE information: section name: _RDATA
Source: stdpms.sys.2.dr	Static PE information: section name: NONPAGED
Source: stdpms.sys0.2.dr	Static PE information: section name: NONPAGED
Source: SRWacomCtrl64.dll.2.dr	Static PE information: section name: _RDATA
Source: SRFeatMini.exe.2.dr	Static PE information: section name: .orpc
Source: SRFeature.exe.2.dr	Static PE information: section name: .orpc
Source: swresample-2.dll.2.dr	Static PE information: section name: .rodata
Source: swresample-2.dll.2.dr	Static PE information: section name: _RDATA

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FF848A900BD pushad ; iretd	13_2_00007FF848A900C1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF848ABCE09 push ebx; retf	14_2_00007FF848ABCE0A
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF848AA00BD pushad ; iretd	14_2_00007FF848AA00C1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF848ABE257 push ebx; iretd	14_2_00007FF848ABE25A
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF848CC53F4 push es; iretd	14_2_00007FF848CC5587
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF848CB592B push ecx; retf	14_2_00007FF848CB592C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF848CB0AF1 push eax; ret	14_2_00007FF848CB0B14
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF848CB5EBC push eax; ret	14_2_00007FF848CB5EB4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF848CB5E84 push eax; ret	14_2_00007FF848CB5EB4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF848CB6E78 pushad ; retf	14_2_00007FF848CB6E79
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF848CB6FC4 pushad ; retf	14_2_00007FF848CB6FC5
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF848CB710C pushad ; retf	14_2_00007FF848CB710D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF848CB02C1 push eax; ret	14_2_00007FF848CB02E4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF848CB65EE pushad ; retf	14_2_00007FF848CB65EF
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF848CB57A6 push ecx; retf	14_2_00007FF848CB57A7
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 14_2_00007FF848CB180C push eax; ret	14_2_00007FF848CB1824
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_3_068057B8 push es; ret	17_3_06805840
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_3_06804E90 push es; ret	17_3_06804EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_3_068058B0 push es; ret	17_3_068058C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 19_2_00007FF848A6D5C9 push ds; retf 5F55h	19_2_00007FF848A6D92F
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 19_2_00007FF848A755BB push esp; iretd	19_2_00007FF848A755D9
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 19_2_00007FF848A600BD pushad ; iretd	19_2_00007FF848A600C1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 21_2_00007FF848A8D5C9 push ds; retf 5F53h	21_2_00007FF848A8D92F
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 21_2_00007FF848A955BB push esp; iretd	21_2_00007FF848A955D9
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 21_2_00007FF848A800BD pushad ; iretd	21_2_00007FF848A800C1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 23_2_00007FF848A900BD pushad ; iretd	23_2_00007FF848A900C1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 25_2_00007FF848AA6C18 pushad ; iretd	25_2_00007FF848AA6C19
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 25_2_00007FF848A900BD pushad ; iretd	25_2_00007FF848A900C1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 25_2_00007FF848AA25F2 push eax; iretd	25_2_00007FF848AA2671
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 25_2_00007FF848A9A658 push eax; retf	25_2_00007FF848A9A669
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 25_2_00007FF848A9A652 push eax; retf	25_2_00007FF848A9A669

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA74182F76F15A9CF514DEF352303C95
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSystemTools.exe.log
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageHeartbeat.exe.log

Sample is not signed and drops a device driver

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\64bits\stgamepad.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxywddm.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxywddm.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxywddm.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxywddm.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\64bits\stdpms.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\32bits\stvad.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\64bits\stvad.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\32bits\stvad.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\64bits\stvad.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\32bits\stvspk.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\64bits\stvspk.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\hidkmdf.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\hidkmdf.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\sthid.sys	Jump to behavior

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon64.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PkgHelper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI48FF.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2852.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppAnnotation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI245F.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdbook.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID58C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\WBAppVidRec.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 5a26d6.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x86.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdsmplui.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2852.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\dbghelp.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\my_setup.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperEx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdnup.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiHelper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\avutil-55.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI3F86.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppBrowser.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\stprintmon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdscale.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdscale.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\legacy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5B14.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI3F86.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdbook.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.ConfigurationExtensions.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.ServiceProcess.ServiceController.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x64.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2EAC.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\64bits\stgamepad.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 5a26d8.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\my_setup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomCtrl32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDetect.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC704.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7777.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdate.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\stprintmon.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileSystemGlobbing.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiCaptor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon64.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI5DC1.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI5DC1.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.sys	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2160.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2EAC.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\64bits\stvad.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcelt-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsbVhciCtrl64.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI446C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUACCheck.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdsmplui.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdsmplui.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\XDColMan.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI48FF.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2160.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSocketCtrl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7DE3.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI5DC1.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\XDColMan.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcrypto-3.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Abstractions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\Mirror2Extend.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 5a26d4.rbf (copy)	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\it\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\pl\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libx264-116.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\browser\lib\net6.0\System.Text.Encodings.Web.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2160.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdwmark.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventSource.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2852.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdwmark.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppBS.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libmp4v2.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI245F.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppED.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI245F.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.Abstractions.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperExx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxywddm.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\64bits\stvad.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRChat.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2EAC.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI3F86.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4390.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\PrnPort.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_iddcx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdbook.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Hosting.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Console.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\qrcodelib.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdscale.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsb.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4341.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libssl-3.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x64\SRCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrl.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Debug.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\XDColMan.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SROpus.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Encodings.Web.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\64bits\stdpms.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264Wrapper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 5a26d7.rbf (copy)	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5881.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2EAC.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI48FF.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\32bits\stvad.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\de\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\swresample-2.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3F86.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRApp.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI48FF.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.ServiceProcess.ServiceController.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\hidkmdf.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd32.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrlEx.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\setupdrv.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\32bits\stvspk.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\ru\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd32.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\hidkmdf.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK_x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\64bits\stvspk.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\32bits\stvad.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdnup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsbVhciCtrl32.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\stprintmon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC6C4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdsmplui.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdbook.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_iddcx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\XDColMan.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxyumd32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd32.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppCam.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2852.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxywddm.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppFileHound.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_iddcx.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	File created: C:\Windows\Temp\SplashtopStreamer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\stprintmon.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2EAC.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdscale.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAdemWrapper.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Configuration.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAudioChat.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI59CB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\my_setup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Elevator.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\setupdrv.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\NvFBC.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdnup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Physical.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PinShortCut.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x64\SRWacomUtil64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcurl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\sthid.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxywddm.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdateInstall.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\my_setup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\setupdrv.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeatMini.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI245F.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Polly.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomUtil32.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.Abstractions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdwmark.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 5a26d5.rbf (copy)	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsb.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\fips.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7864.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI48FF.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\setupdrv.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Logging.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\es\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2852.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI3F86.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7815.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5DC1.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI5DC1.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxywddm.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: 5a26d2.rbf (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2160.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAudioResample.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x86\SRCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2160.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxyumd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\amf-vcedem-win32.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdnup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x64\SRWacomCtrl64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC80E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdwmark.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI245F.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_iddcx.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2EAC.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2160.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7864.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5B14.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2852.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI48FF.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI3F86.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7DE3.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI5DC1.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI59CB.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI48FF.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2EAC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5881.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2852.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI48FF.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2852.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI3F86.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC6C4.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2EAC.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI245F.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7815.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI245F.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI5DC1.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI5DC1.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC704.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7777.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI245F.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSID58C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI3F86.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2EAC.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2160.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI48FF.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI3F86.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2852.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4390.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI5DC1.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI5DC1.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2852.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2160.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2160.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI2EAC.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI2160.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	File created: C:\Windows\Temp\SplashtopStreamer.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI245F.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI4341.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI446C.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI3F86.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC80E.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI245F.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI48FF.tmp-\System.Management.dll	Jump to dropped file

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\InstallUtil.InstallLog
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\TEMP\AteraSetupLog.txt

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\license.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\license.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\license.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\license.txt	Jump to behavior

Boot Survival

Installs Task Scheduler Managed Wrapper

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dll

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\system32\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Code function: 33_2_00007FF8A026A524 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

33_2_00007FF8A026A524

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Key value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0"} where resultclass = Win32_DiskPartition
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent="Win32_DiskDrive.DeviceID=\"\\\\\\\\.\\\\PHYSICALDRIVE0\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0"} where resultclass = Win32_DiskPartition
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent="Win32_DiskDrive.DeviceID=\"\\\\\\\\.\\\\PHYSICALDRIVE0\""

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PhysicalAdapter,Name,PNPDeviceID from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter

Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #0"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #0\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #2"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #2\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #0"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #0\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #2"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #2\""

Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_SoundDevice

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 1E2AA470000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 1E2C3D40000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 1CFDB1B0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 1CFF3790000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 267BA6E0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 267D2B50000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 24E7C3C0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 24E7C8A0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 1B669190000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 1B6694F0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 1E542A90000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 1E55AC30000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 16309940000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 16322040000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Memory allocated: 26E26490000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Memory allocated: 26E3ECE0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Memory allocated: 1E45C640000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Memory allocated: 1E474B40000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Memory allocated: 2695D5D0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Memory allocated: 26975710000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Memory allocated: 2E002790000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Memory allocated: 2E01AF40000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Memory allocated: 23D46510000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Memory allocated: 23D5EB30000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	Memory allocated: 1F432B40000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	Memory allocated: 1F44B260000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe	Memory allocated: 1BABBF40000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe	Memory allocated: 1BAD4490000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe	Memory allocated: 192463D0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe	Memory allocated: 1925EAB0000 memory reserve \| memory write watch

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Code function: 25_2_00007FF848CB9369 rdtsc

25_2_00007FF848CB9369

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599891
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599766
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599656
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599544
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599437
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599326
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599219
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599109
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598891
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598781
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598656
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598547
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598438
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598325
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598219
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598094
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597977
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597875
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597765
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597646
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597529
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597421
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597312
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597203
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597094
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596984
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596875
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596766
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596656
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596547
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596438
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596313
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596188
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596063
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595953
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595843
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595734
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595625
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595515
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599891
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599782
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599657
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599532
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599407
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599282
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599170
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599056
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598948
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598844
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598730
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598625
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598516
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598407
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598283
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598157
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598032
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597904
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597797
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597687
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597573
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597468
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597360
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597236
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597094
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596968
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596838
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596735
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596610
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596475
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596357
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596239
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596120
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596013
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595907
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595782
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595657
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595532
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595407
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595282
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595172
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595062
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594949
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594844
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594702
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594567
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594344
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594142
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594016
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593905
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593766
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593639
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593485
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593360
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593237
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593079
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 592954
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 592800
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 599858
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 599744
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 599638
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 599531
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 599421
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 599312
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 599189
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 599062
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 598953
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 598835
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 598719
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 598600
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 598484
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 598351
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 598192
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 598062
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 597776
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 597654
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 597543
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 597406
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 597271
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 597120
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 597015
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 596901
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 596761
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 596648
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 596531
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 596405
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 596281
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 596072
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 595953
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 595826
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 595719
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 595566
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 595344
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 595217
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 595100
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 594969
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 594844
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 594707
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 594581
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 594453
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 594333
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 594203
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 594093
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 593984
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 593874
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 593764
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 593656
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 593543
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 593435
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 593324
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 593218
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 593100
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 592895
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 592687
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 592569
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 592453
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 592311
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 592203
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe	Thread delayed: delay time: 922337203685477

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Window / User API: threadDelayed 2624
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Window / User API: threadDelayed 7000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Window / User API: threadDelayed 5638
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Window / User API: threadDelayed 3917
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Window / User API: threadDelayed 4994
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Window / User API: threadDelayed 4866
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Window / User API: threadDelayed 2449
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Window / User API: threadDelayed 2118
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 7737
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 1866
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Window / User API: threadDelayed 5393
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Window / User API: threadDelayed 4373
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Window / User API: threadDelayed 7083
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Window / User API: threadDelayed 2639
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4398
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 383
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe	Window / User API: threadDelayed 2415

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon64.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PkgHelper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI48FF.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2852.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppAnnotation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI245F.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\System.ValueTuple.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdbook.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSID58C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\WBAppVidRec.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 5a26d6.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x86.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdsmplui.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2852.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\my_setup.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Pubnub.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperEx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdnup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiHelper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\avutil-55.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3F86.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppBrowser.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\stprintmon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdscale.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdscale.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\legacy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5B14.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3F86.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdbook.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.ConfigurationExtensions.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.ServiceProcess.ServiceController.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x64.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2EAC.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 5a26d8.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\64bits\stgamepad.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\my_setup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomCtrl32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDetect.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC704.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7777.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdate.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\stprintmon.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileSystemGlobbing.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiCaptor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon64.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5DC1.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5DC1.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.sys	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2160.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2EAC.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\64bits\stvad.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcelt-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsbVhciCtrl64.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI446C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUACCheck.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdsmplui.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdsmplui.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\XDColMan.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI48FF.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2160.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSocketCtrl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5DC1.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7DE3.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\XDColMan.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcrypto-3.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Abstractions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 5a26d4.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\Mirror2Extend.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\it\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\pl\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libx264-116.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\browser\lib\net6.0\System.Text.Encodings.Web.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2160.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdwmark.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventSource.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2852.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdwmark.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppBS.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libmp4v2.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI245F.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppED.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI245F.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.Abstractions.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperExx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxywddm.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\64bits\stvad.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRChat.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2EAC.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3F86.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI4390.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\PrnPort.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_iddcx.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Hosting.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdbook.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Console.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\qrcodelib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdscale.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsb.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI4341.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libssl-3.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x64\SRCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrl.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Debug.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\XDColMan.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SROpus.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Encodings.Web.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\64bits\stdpms.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 5a26d7.rbf (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264Wrapper.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5881.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2EAC.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI48FF.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\32bits\stvad.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\de\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\swresample-2.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3F86.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRApp.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI48FF.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.ServiceProcess.ServiceController.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\hidkmdf.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd32.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrlEx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\setupdrv.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\32bits\stvspk.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\ru\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd32.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\hidkmdf.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK_x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\64bits\stvspk.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\32bits\stvad.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdnup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsbVhciCtrl32.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\stprintmon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC6C4.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdsmplui.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdbook.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_iddcx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\XDColMan.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd32.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxyumd32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppCam.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2852.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxywddm.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppFileHound.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Dropped PE file which has not been started: C:\Windows\Temp\SplashtopStreamer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_iddcx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\stprintmon.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2EAC.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdscale.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAdemWrapper.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Configuration.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAudioChat.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI59CB.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\my_setup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Elevator.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\NvFBC.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\setupdrv.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdnup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Physical.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PinShortCut.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x64\SRWacomUtil64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcurl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\sthid.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxywddm.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdateInstall.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\setupdrv.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\my_setup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeatMini.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI245F.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Polly.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomUtil32.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Numerics.Vectors.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.Abstractions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdwmark.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: 5a26d5.rbf (copy)	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsb.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.WinForm.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\fips.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7864.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI48FF.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\setupdrv.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Logging.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\es\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI3F86.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2852.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Buffers.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI7815.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5DC1.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI5DC1.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxywddm.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sys	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2160.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAudioResample.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x86\SRCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI2160.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxyumd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\amf-vcedem-win32.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Memory.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x64\SRWacomCtrl64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdnup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC80E.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdwmark.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI245F.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_iddcx.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\rundll32.exe TID: 2616	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 4768	Thread sleep time: -60000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1272	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1512	Thread sleep count: 2624 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1512	Thread sleep count: 7000 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3580	Thread sleep time: -23058430092136925s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3580	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 4768	Thread sleep time: -130000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6536	Thread sleep time: -4611686018427385s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1848	Thread sleep time: -90000s >= -30000s
Source: C:\Windows\SysWOW64\rundll32.exe TID: 2704	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1240	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3664	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1984	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6844	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5604	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5416	Thread sleep count: 5638 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5416	Thread sleep count: 3917 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7304	Thread sleep count: 35 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7304	Thread sleep time: -32281802128991695s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7404	Thread sleep time: -280000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7436	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7400	Thread sleep time: -90000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7348	Thread sleep count: 4994 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7352	Thread sleep count: 4866 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep count: 36 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -33204139332677172s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -600000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -599891s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -599766s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -599656s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -599544s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -599437s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -599326s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -599219s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -599109s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -599000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -598891s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -598781s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -598656s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -598547s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -598438s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -598325s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -598219s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -598094s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -597977s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -597875s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -597765s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -597646s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -597529s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -597421s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -597312s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -597203s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -597094s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -596984s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -596875s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -596766s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -596656s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -596547s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -596438s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -596313s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -596188s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -596063s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -595953s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -595843s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -595734s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -595625s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 612	Thread sleep time: -595515s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7592	Thread sleep count: 2449 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7608	Thread sleep count: 2118 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7628	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7628	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7636	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 7572	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7976	Thread sleep count: 7737 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7968	Thread sleep count: 1866 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8012	Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 8032	Thread sleep time: -60000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 8096	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 8072	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -27670116110564310s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -600000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4428	Thread sleep count: 5393 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -599891s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -599782s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 4428	Thread sleep count: 4373 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -599657s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -599532s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -599407s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -599282s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -599170s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -599056s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -598948s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -598844s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -598730s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -598625s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -598516s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -598407s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -598283s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -598157s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -598032s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -597904s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -597797s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -597687s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -597573s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -597468s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -597360s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -597236s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -597094s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -596968s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -596838s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -596735s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -596610s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -596475s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -596357s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -596239s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -596120s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -596013s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -595907s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -595782s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -595657s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -595532s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -595407s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -595282s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -595172s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -595062s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -594949s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -594844s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -594702s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -594567s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -594344s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -594142s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -594016s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -593905s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -593766s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -593639s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -593485s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -593360s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -593237s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -593079s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -592954s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 2108	Thread sleep time: -592800s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe TID: 3172	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 2136	Thread sleep count: 7083 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep count: 35 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -32281802128991695s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -600000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -599858s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 2136	Thread sleep count: 2639 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -599744s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -599638s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -599531s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -599421s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -599312s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -599189s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -599062s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -598953s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -598835s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -598719s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -598600s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -598484s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -598351s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -598192s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -598062s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -597776s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -597654s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -597543s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -597406s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -597271s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -597120s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -597015s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -596901s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -596761s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -596648s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -596531s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -596405s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -596281s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -596072s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -595953s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -595826s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -595719s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -595566s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -595344s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -595217s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -595100s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -594969s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -594844s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -594707s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -594581s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -594453s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -594333s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -594203s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -594093s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -593984s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -593874s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -593764s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -593656s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -593543s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -593435s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -593324s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -593218s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -593100s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -592895s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -592687s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -592569s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -592453s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -592311s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe TID: 4508	Thread sleep time: -592203s >= -30000s
Source: C:\Windows\SysWOW64\rundll32.exe TID: 5884	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 6308	Thread sleep count: 292 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe TID: 7520	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7552	Thread sleep count: 4398 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5740	Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7552	Thread sleep count: 383 > 30
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 6784	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe TID: 3848	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe TID: 6004	Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe TID: 5532	Thread sleep count: 2415 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe TID: 5532	Thread sleep count: 114 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe TID: 6544	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe TID: 7164	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Manufacturer,SoftwareElementID,ReleaseDate from Win32_BIOS
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 30000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 90000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 90000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599891
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599766
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599656
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599544
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599437
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599326
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599219
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599109
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598891
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598781
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598656
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598547
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598438
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598325
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598219
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598094
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597977
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597875
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597765
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597646
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597529
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597421
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597312
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597203
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597094
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596984
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596875
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596766
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596656
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596547
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596438
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596313
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596188
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596063
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595953
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595843
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595734
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595625
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595515
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Thread delayed: delay time: 30000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599891
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599782
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599657
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599532
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599407
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599282
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599170
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599056
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598948
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598844
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598730
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598625
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598516
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598407
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598283
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598157
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598032
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597904
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597797
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597687
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597573
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597468
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597360
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597236
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597094
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596968
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596838
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596735
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596610
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596475
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596357
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596239
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596120
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596013
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595907
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595782
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595657
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595532
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595407
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595282
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595172
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595062
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594949
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594844
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594702
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594567
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594344
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594142
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594016
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593905
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593766
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593639
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593485
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593360
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593237
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593079
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 592954
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 592800
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 599858
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 599744
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 599638
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 599531
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 599421
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 599312
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 599189
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 599062
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 598953
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 598835
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 598719
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 598600
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 598484
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 598351
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 598192
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 598062
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 597776
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 597654
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 597543
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 597406
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 597271
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 597120
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 597015
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 596901
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 596761
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 596648
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 596531
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 596405
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 596281
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 596072
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 595953
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 595826
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 595719
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 595566
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 595344
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 595217
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 595100
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 594969
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 594844
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 594707
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 594581
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 594453
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 594333
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 594203
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 594093
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 593984
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 593874
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 593764
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 593656
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 593543
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 593435
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 593324
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 593218
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 593100
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 592895
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 592687
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 592569
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 592453
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 592311
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Thread delayed: delay time: 592203
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe	Thread delayed: delay time: 922337203685477

Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB7E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service0
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3230976576.00000163229AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3174174470.000001630971B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB7E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: -Hyper-V Remote Desktop Virtualization Service0
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3227237418.000001632286D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceSynchronizes the system time of this virtual machine with the system time of the physical computer.Hyper-V Time Synchronization ServicevmictimesyncStopped
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3226447227.000001632285E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicshutdown#
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3222718844.0000016322800000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServicevmicvssvmicvssStopped
Source: AgentPackageUpgradeAgent.exe, 00000027.00000002.3002981073.000001E4753E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAz
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3227237418.000001632286D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB7E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service0
Source: AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C46A0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C4779000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.2154117226.000001E2C4720000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2584991032.000001CFF3FAC000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF44A5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF4423000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000011.00000002.2199891417.000000000099B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2198629888.0000000000999000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3174174470.000001630971B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServicevmicshutdownvmicshutdownStoppedindows\a=
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3230976576.00000163229AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3174174470.000001630971B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.
Source: rundll32.exe, 00000005.00000002.2077842836.00000000030AD000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2249904323.00000267D3480000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2266724520.0000024E7D120000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.3035623763.000001E55B458000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3230976576.00000163229A9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2366710372.0000026E3F3FD000.00000004.00000020.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000027.00000002.3002383624.000001E4753D9000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000029.00000002.3355927161.0000026976060000.00000004.00000020.00020000.00000000.sdmp, AgentPackageHeartbeat.exe, 0000003C.00000002.2833195274.000001925F2F0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: AgentPackageAgentInformation.exe, 00000013.00000000.2229421092.00000267BA2B2000.00000002.00000001.01000000.00000016.sdmp	Binary or memory string: VIRUSfighterAVMware Carbon Black Cloud Sensor7VMware Carbon Black Defense/VMware Carbon Black EDR9VMware Carbon Black Response
Source: AgentPackageUpgradeAgent.exe, 00000027.00000002.3002981073.000001E4753E3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW==
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB7E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: !Hyper-V PowerShell Direct Service0
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3174174470.000001630971B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides a platform for communication between the virtual machine and the operating system running on the physical computer.Hyper-V Remote Desktop Virtualization ServicevmicrdvStopped
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3174174470.000001630971B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.HV Host ServiceHvHostStopped
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3226447227.000001632285E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicheartbeatM
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3174174470.000001630971B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: AgentPackageMonitoring.exe, 00000021.00000002.2360680043.0000026E26692000.00000002.00000001.01000000.0000001C.sdmp	Binary or memory string: vmware
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3227237418.000001632286D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network.Hyper-V PowerShell Direct ServicevmicvmsessionStopped
Source: AgentPackageMonitoring.exe, 00000021.00000000.2322894948.0000026E261F2000.00000002.00000001.01000000.0000001A.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2360680043.0000026E26692000.00000002.00000001.01000000.0000001C.sdmp	Binary or memory string: get_IsVirtualMachine
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3226071999.000001632284A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.Hyper-V Guest Service InterfacevmicguestinterfaceStopped
Source: AgentPackageMonitoring.exe, 00000021.00000002.2362218873.0000026E26DCD000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: IsVirtualMachine
Source: AgentPackageInternalPoller.exe, 00000034.00000002.2760858194.000001F44BB50000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3227237418.000001632286D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: rundll32.exe, 00000032.00000002.2748986402.0000000000B04000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllt
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB7E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Time Synchronization Service0
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3222718844.0000016322800000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3174174470.000001630971B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServicevmicheartbeatvmicheartbeatStopped`c
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3230976576.00000163229AE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSFT_PhysicalDisk{1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\SPACES_PhysicalDisk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{baefc400-1cb2-6d19-d2b5-4ac4ae014b83}"6000C292B65879FF477A6AF604113F58VMware Virtual diskVMwareVirtual disk6000c292b65879ff477a6af604113f58PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB7E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface0
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB7E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service0
Source: AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB7E8000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Volume Shadow Copy Requestor0
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3174174470.000001630971B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3226071999.000001632284A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Provides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3174174470.000001630971B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.Hyper-V Data Exchange ServicevmickvpexchangeStopped
Source: AteraAgent.exe, 0000000E.00000002.2584991032.000001CFF3F74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3226071999.000001632284A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: AgentPackageAgentInformation.exe, 0000001C.00000002.3174174470.000001630971B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Code function: 25_2_00007FF848CB9369 rdtsc

25_2_00007FF848CB9369

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

33_2_00007FF8A0271910

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Code function: 33_2_00007FF8A02AAFB0 OutputDebugStringA,GetProcessHeap,OutputDebugStringA,GetLastError,lstrlenW,HeapAlloc,OutputDebugStringA,GetEnvironmentVariableW,OutputDebugStringA,GetLastError,OutputDebugStringA,GetModuleFileNameW,lstrlenW,OutputDebugStringA,lstrcatW,lstrcatW,lstrcatW,GetFileAttributesW,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,WinVerifyTrust,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetEnvironmentVariableW,OutputDebugStringA,GetCurrentThreadId,GetCurrentProcessId,wsprintfW,GetEnvironmentVariableW,SetEnvironmentVariableW,_errno,_errno,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetLastError,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,HeapFree,_snprintf,OutputDebugStringA,

33_2_00007FF8A02AAFB0

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

33_2_00007FF8A0271910

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

33_2_00007FF8A02AAFB0

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe	Process token adjusted: Debug

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Code function: 33_2_00007FF8A026ACD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

33_2_00007FF8A026ACD4

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 40.119.152.241 443

Bypasses PowerShell execution policy

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-ExecutionPolicy Bypass -Scope CurrentUser

Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="flaviolimapontescliente01@gmail.com" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000KZFzxIAH" /AgentId="f59f3442-6117-4640-8aae-6ef22eb1ae8f"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "15ce275a-be83-4afa-bdcf-3f7d4cc3415d" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000KZFzxIAH	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "f3f8c138-efff-44a7-8aff-78b661b79ea9" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "97d527e2-ace6-4af1-87ff-fd0bb84d12a8" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "93138382-7cb2-4c66-b5a0-34a2c11202fd" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "31b88dde-1623-4466-adb0-05f466efd2ea" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "15ce275a-be83-4afa-bdcf-3f7d4cc3415d" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "d993a967-e5b2-425f-a13a-df33fb52e8f5" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "4b2bcc99-0697-449c-87dd-e9f93a323079" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "659c678a-03f4-46f8-a144-5552c5e31eca" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "9714075a-7bec-49a9-9497-61d2edb1cb2b" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ==" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "6bd80e1c-f436-4cf9-8790-13938e064803" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "0dbdfe1d-c093-4c9b-82ad-6e5a3763b364" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "9714075a-7bec-49a9-9497-61d2edb1cb2b" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ==" 001Q300000KZFzxIAH
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "powershell.exe" Set-ExecutionPolicy Bypass -Scope CurrentUser
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\cmd.exe "cmd.exe" /c powershell.exe -File "C:\Program Files (x86)\Microsoft Office\Office16\vNextDiag.ps1"
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Process created: C:\Windows\System32\msiexec.exe "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -File "C:\Program Files (x86)\Microsoft Office\Office16\vNextDiag.ps1"

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Code function: 33_2_00007FF8A026739C cpuid

33_2_00007FF8A026739C

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI2852.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI2852.tmp-\AlphaControlAgentInstallation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI2EAC.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI2EAC.tmp-\AlphaControlAgentInstallation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI2EAC.tmp-\Newtonsoft.Json.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI3F86.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI3F86.tmp-\AlphaControlAgentInstallation.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI5DC1.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI5DC1.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI5DC1.tmp-\Newtonsoft.Json.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1151.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package03~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package0013~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0314~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\Microsoft.KeyDistributionService.Cmdlets\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.KeyDistributionService.Cmdlets.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.LocalAccounts\1.0.0.0\Microsoft.PowerShell.LocalAccounts.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI2160.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI2160.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI245F.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI245F.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI245F.tmp-\Newtonsoft.Json.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI48FF.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI48FF.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Code function: 33_2_00007FF8A026CC04 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

33_2_00007FF8A026CC04

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Code function: 33_2_00007FF8A02685D4 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,_malloc_crt,_invoke_watson,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,

33_2_00007FF8A02685D4

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct

Remote Access Functionality

Yara detected AteraAgent

Source: Yara match	File source: 19.2.AgentPackageAgentInformation.exe.267baac0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.2.AgentPackageTicketing.exe.23d46890000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 59.0.AgentPackageSystemTools.exe.1babbb20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 59.2.AgentPackageSystemTools.exe.1babc430000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.2.AgentPackageMonitoring.exe.26e26690000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.0.AgentPackageAgentInformation.exe.267ba2b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 52.0.AgentPackageInternalPoller.exe.1f4328e0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.2.AgentPackageTicketing.exe.23d46870000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 45.0.AgentPackageTicketing.exe.23d45f70000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.0.AteraAgent.exe.1e2aa110000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.AgentPackageUpgradeAgent.exe.1e45c230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.0.AgentPackageSTRemote.exe.2695ce10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 60.2.AgentPackageHeartbeat.exe.19246400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 33.0.AgentPackageMonitoring.exe.26e261f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000034.00000002.2734005619.000001F433494000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2264112406.000001B668C30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000002.2709175078.000001E861C9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2153248860.000001E2ABEBC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E543928000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2200238195.0000000004477000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.2924086021.000001E302300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2932952613.000000C28C743000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2247425634.00000267BA3A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2559206056.000001CFDBC48000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2559206056.000001CFDBB30000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2152585479.000001E2AA271000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.3273707942.0000023D460C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2834297506.000001E542370000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2152585479.000001E2AA2A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.2734005619.000001F43327E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2589449099.000001CFF43E8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.2630910511.000002E0027A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2936902415.000001E45C410000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000002.2789137147.000001BABC509000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.2922053260.000001E3022FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2248418409.00000267BA590000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2559206056.000001CFDBEC4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2266447306.0000024E7C400000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2260910212.0000024E00047000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.3266755368.00000065D0B31000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3045083540.000001E55B92D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2248887172.00000267BABC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2359837565.0000026E262E0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000002.2789137147.000001BABC491000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000020.00000002.3267482446.0000019B442B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000031.00000003.2661038149.000000000462B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E543A50000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2155535704.00007FF848B24000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.3273707942.0000023D4608C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000003.2689661385.0000022086C40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3174174470.00000163096D3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2369780213.0000026E40655000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2827959743.00000027A7AE8000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E543065000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.2875187580.000001E302270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2248721633.00000267BAAC2000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E54360D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.2630910511.000002E0027A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3244506065.0000016322B42000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2153248860.000001E2ABDC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3274308757.000002695D07C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.2760858194.000001F44BBF5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000002.2787382050.000001BABC432000.00000002.00000001.01000000.00000041.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E5432C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3183499015.000001630A25A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.2734005619.000001F4333D5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2556640926.000001CFDAF28000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2559206056.000001CFDB89E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003C.00000002.2811860268.0000019246402000.00000002.00000001.01000000.00000043.sdmp, type: MEMORY
Source: Yara match	File source: 0000003C.00000002.2799943703.000001924633E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2559206056.000001CFDB791000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2264112406.000001B668CBC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000000.2322894948.0000026E261F2000.00000002.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E543A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003C.00000002.2799943703.00000192462BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E542C9C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.3089682303.00000220869B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.3288600100.0000023D46B92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2589449099.000001CFF43E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.3285143958.0000023D46872000.00000002.00000001.01000000.00000049.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2260286662.000001B600083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E5435FF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2362218873.0000026E2727E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2200238195.00000000043D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2152585479.000001E2AA210000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3285991937.000002695D94A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2264872270.0000024E7C050000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3045083540.000001E55B885000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3174174470.0000016309699000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3274308757.000002695CFF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.2734005619.000001F433261000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.3285746888.0000023D46892000.00000002.00000001.01000000.0000004B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2154503758.000001E2C4850000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2559206056.000001CFDB926000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2084104559.0000000004AD5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2153248860.000001E2ABE72000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000038.00000002.2709175078.000001E861C90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2264112406.000001B668C38000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.2734005619.000001F43349E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2938598314.000001E45C453000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3183499015.000001630A257000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2154536366.000001E2C4976000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2248887172.00000267BAB51000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2247425634.00000267BA3EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2947709393.000001E45C665000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2942637569.000001E45C4FC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003C.00000002.2799943703.00000192462F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2575534278.0000018C7FD30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2362218873.0000026E26CE1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003C.00000002.2818917909.0000019246AB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2831365475.00000027A82F5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E543A19000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2154117226.000001E2C4779000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.2158928933.0000000004328000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2830451765.00000027A81E9000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000002.2772275360.000001BABBCC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3035623763.000001E55B4D6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E54392A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2835670930.000001E54253C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2938598314.000001E45C49B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.2724831615.000001F432C1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2559206056.000001CFDBB33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2559206056.000001CFDBA56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2575434147.0000018C7FB6B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000003.2274406570.0000018C7FD50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3181429809.00000163099F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2575434147.0000018C7FB83000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E54317E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E543606000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2595880171.000001CFF4906000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2247425634.00000267BA3A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2615805731.00000206678A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E543A4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2153248860.000001E2ABE75000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3274308757.000002695D039000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2835670930.000001E5425D1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2260910212.0000024E00073000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3283401681.000002695D2E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000002.2772890811.000001BABBDDC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2999155152.000001E4753A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2559206056.000001CFDB7E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.2753876487.0000000004611000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2369489506.0000026E40217000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2938598314.000001E45C461000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2152585479.000001E2AA216000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E542D6A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003C.00000002.2833195274.000001925F2F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2260910212.0000024E00001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2078628555.0000000004CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2942637569.000001E45C4B4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.2734005619.000001F4334A0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.2630910511.000002E0027DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.2724831615.000001F432BDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2264872270.0000024E7C059000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2948323551.000001E45CCB7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2559206056.000001CFDBBBD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2829711183.00000027A80F1000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2260910212.0000024E00083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2615805731.0000020668A11000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2360088406.0000026E26550000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.3273707942.0000023D4610F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.2078628555.0000000004D54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.3273707942.0000023D46080000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2264036436.000001B668C20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.2724831615.000001F432B50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.2734005619.000001F433280000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.2630910511.000002E002826000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E543919000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2936416893.000001E45C3E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E5433E2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3285991937.000002695D840000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2360088406.0000026E26510000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2153248860.000001E2ABE09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3219024041.00000163227B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2559206056.000001CFDBA4E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.2635428988.000002E002980000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000002.2772890811.000001BABBD5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E5434DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3045083540.000001E55B8E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E543A2A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2559206056.000001CFDBAF4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2589449099.000001CFF4448000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2379942506.00007FF8A03F9000.00000004.00000001.01000000.0000001B.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E543978000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2260286662.000001B600073000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2556602593.000001CFDAF10000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3045083540.000001E55B942000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003A.00000003.2761236038.0000000004D86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E54354F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.3283209157.0000023D46430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3174174470.00000163096CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2152372049.000001E2AA200000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3183499015.000001630A289000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2248887172.00000267BABD3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2559206056.000001CFDBA10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.2638178858.000002E002FC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3274308757.000002695CFFC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E543577000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E543A5A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000003.2668222570.00000000044BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2559206056.000001CFDBC0C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3045083540.000001E55B985000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E543A54000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.3002981073.000001E4753F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2153248860.000001E2ABEA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2558947208.000001CFDB220000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2948323551.000001E45CDC9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2559206056.000001CFDBC62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2559206056.000001CFDBBBA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2555505411.000000155C2F5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.2718929915.0000028681B3B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3183499015.000001630A0DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3285991937.000002695D711000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3183499015.000001630A31F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.3089682303.00000220869BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000000.2229421092.00000267BA2B2000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2366710372.0000026E3F3A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.3030057801.00000286F08C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.2760858194.000001F44BB50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2948323551.000001E45CDB8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.2612366668.000002695CE12000.00000002.00000001.01000000.00000029.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.2778689991.0000027604788000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2556640926.000001CFDAF5A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.2734005619.000001F43349C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3274308757.000002695D030000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000002.2772890811.000001BABBD91000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2260910212.0000024E000BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.2924328286.000001E302BE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2559206056.000001CFDBD95000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.2032629720.0000000004B02000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2366710372.0000026E3F3FD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2609908643.0000020666550000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2938598314.000001E45C430000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.3002981073.000001E47543B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2247425634.00000267BA360000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2264112406.000001B668C6C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2359986359.0000026E26460000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3035623763.000001E55B458000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2360088406.0000026E26502000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000000.2624826314.0000023D45F72000.00000002.00000001.01000000.0000002A.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2825838156.00000027A76F4000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2153248860.000001E2ABDF2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.2732932291.000001F432E10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2584991032.000001CFF3FAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.3044865188.00000286F1524000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.3288600100.0000023D46B31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2615805731.00000206677A6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003C.00000002.2815241259.0000019246530000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003C.00000002.2799943703.00000192462B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.2760858194.000001F44BBA7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3355927161.00000269760CB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2260286662.000001B600001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3183499015.000001630A1B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E543549000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2948323551.000001E45CB41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002D.00000002.3288600100.0000023D46BAF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3266806247.0000007FFB721000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3228082364.0000016322892000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.3002383624.000001E4753D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2369527319.0000026E40415000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3183499015.000001630A285000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2360680043.0000026E26692000.00000002.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2834811670.000001E5424D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2835670930.000001E542500000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2559206056.000001CFDB814000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2559206056.000001CFDBC4B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2813710956.00000027A5F05000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2264872270.0000024E7C08D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2153248860.000001E2ABD41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2264872270.0000024E7C0D7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E543547000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000002.2772890811.000001BABBD50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003C.00000002.2818917909.0000019246BFD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3045083540.000001E55B8AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2575434147.0000018C7FB60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003B.00000000.2764706921.000001BABBB22000.00000002.00000001.01000000.0000003D.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2593246742.000001CFF45CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.3089978922.0000022086C20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2584991032.000001CFF404E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.3045083540.000001E55B903000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2264872270.0000024E7C098000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000002.2724831615.000001F432B90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2835670930.000001E542589000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2559206056.000001CFDBB78000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.2594468379.000001E45C232000.00000002.00000001.01000000.00000027.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000000.2098028173.000001E2AA112000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2153248860.000001E2ABDCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2615805731.00000206686C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E543756000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E5431FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2589449099.000001CFF4423000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.3002981073.000001E4753E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002B.00000002.2638178858.000002E002F41000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2589449099.000001CFF447F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2556640926.000001CFDAF20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.3089682303.00000220869D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E543640000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2559206056.000001CFDBDC7000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2152585479.000001E2AA251000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.2038794357.000000000498B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3174174470.000001630971B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2589449099.000001CFF44A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2369676343.0000026E40426000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2360088406.0000026E264C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.3285991937.000002695D788000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.2921977102.000001E3022EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000034.00000000.2688823349.000001F4328E2000.00000002.00000001.01000000.00000035.sdmp, type: MEMORY
Source: Yara match	File source: 00000032.00000002.2753876487.00000000046B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000003.2916707362.000001E302270000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000003F.00000002.2778689991.0000027604780000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E543A80000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3183499015.000001630A041000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2615805731.00000206679C5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.3038002252.00000286F0BA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3174174470.0000016309690000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.3183499015.000001630A1C0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2615805731.0000020668981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.2362218873.0000026E26DCD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2852883567.000001E542C31000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2556640926.000001CFDAFA5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.2718929915.0000028680233000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.2718929915.0000028680C33000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2615805731.00000206681C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2615805731.00000206672B8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000036.00000002.2718929915.0000028681633000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2615805731.00000206683AD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.2615805731.0000020668A58000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1268, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2360, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2520, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AteraAgent.exe PID: 2704, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AteraAgent.exe PID: 1684, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 5344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 6460, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 4676, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AteraAgent.exe PID: 3292, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7196, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7320, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cscript.exe PID: 7388, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageMonitoring.exe PID: 7516, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 7884, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageUpgradeAgent.exe PID: 8028, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageSTRemote.exe PID: 8124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageUpgradeAgent.exe PID: 3732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageTicketing.exe PID: 6780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: msiexec.exe PID: 5808, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 5052, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 7536, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageInternalPoller.exe PID: 7532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: powershell.exe PID: 2796, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Agent.Package.Watchdog.exe PID: 5668, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 4616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageSystemTools.exe PID: 3780, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageHeartbeat.exe PID: 4708, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Agent.Package.Watchdog.exe PID: 5068, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\Temp\~DF6D33A0ADC94BBBE5.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFE5923E136715CD1F.TMP, type: DROPPED
Source: Yara match	File source: C:\Config.Msi\5a26d9.rbs, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll, type: DROPPED
Source: Yara match	File source: C:\Config.Msi\5a26d1.rbs, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF603903B513D5BCB4.TMP, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFCEE123E47C423CC1.TMP, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe, type: DROPPED
Source: Yara match	File source: dropped/ConDrv, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\FormControlsLibrary.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF6E209428833F2CD1.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF4E59C1764FE9126C.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI7776.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFB0521A0F76C387C2.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF790C55AF4C3DCBC5.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF6893122F8D5FBA49.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFBE13C9327F3F7CB6.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF0C43DC00A9844606.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI2EAC.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF05EBE42A91F6CC4B.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFB39156E6B5BBCE6A.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF6EF34059F1021E6F.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\AteraSetupLog.txt, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFABF0B432F70445F5.TMP, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI3F86.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI2160.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI5DC1.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF821A8781B12F81CE.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI4330.tmp, type: DROPPED
Source: Yara match	File source: C:\Config.Msi\5a26cc.rbs, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI5880.tmp, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF2CD737AE208E96F1.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI48FF.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\System32\InstallUtil.InstallLog, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFCBEA40FF15FC580C.TMP, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallLog, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI2852.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI245F.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: \Device\ConDrv, type: DROPPED

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Code function: 33_2_00007FF8A02AB9F0 GetModuleHandleW,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,GetLastError,GetProcAddress,OutputDebugStringA,OutputDebugStringA,CorBindToRuntimeEx,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,_snprintf,OutputDebugStringA,

33_2_00007FF8A02AB9F0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	1 Replication Through Removable Media	541 Windows Management Instrumentation	1 Scripting	1 DLL Side-Loading	21 Disable or Modify Tools	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 DLL Side-Loading	32 Windows Service	1 Deobfuscate/Decode Files or Information	LSASS Memory	11 Peripheral Device Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Command and Scripting Interpreter	32 Windows Service	111 Process Injection	31 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	11 Scheduled Task/Job	11 Scheduled Task/Job	11 Scheduled Task/Job	111 Software Packing	NTDS	146 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	11 Service Execution	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Query Registry	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	1 PowerShell	RC Scripts	RC Scripts	1 File Deletion	Cached Domain Credentials	671 Security Software Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	123 Masquerading	DCSync	1 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 Modify Registry	Proc Filesystem	351 Virtualization/Sandbox Evasion	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	351 Virtualization/Sandbox Evasion	/etc/passwd and /etc/shadow	1 Application Window Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement
IP Addresses	Compromise Infrastructure	Supply Chain Compromise	PowerShell	Cron	Cron	111 Process Injection	Network Sniffing	Network Service Discovery	Shared Webroot	Local Data Staging	File Transfer Protocols	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	External Defacement
Network Security Appliances	Domains	Compromise Software Dependencies and Development Tools	AppleScript	Launchd	Launchd	1 Rundll32	Input Capture	System Network Connections Discovery	Software Deployment Tools	Remote Data Staging	Mail Protocols	Exfiltration Over Unencrypted Non-C2 Protocol	Firmware Corruption

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi	21%	ReversingLabs	Win32.Trojan.Atera

Dropped Files

Source	Detection	Scanner	Label
5a26d2.rbf (copy)	21%	ReversingLabs	Win32.Trojan.Atera
5a26d4.rbf (copy)	0%	ReversingLabs
5a26d5.rbf (copy)	0%	ReversingLabs
5a26d6.rbf (copy)	0%	ReversingLabs
5a26d7.rbf (copy)	0%	ReversingLabs
5a26d8.rbf (copy)	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	21%	ReversingLabs	Win32.Trojan.Atera
C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.Abstractions.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Abstractions.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Physical.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileSystemGlobbing.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.Abstractions.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Configuration.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Console.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Debug.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventSource.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.ConfigurationExtensions.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Primitives.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Newtonsoft.Json.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Polly.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Hosting.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Logging.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.DiagnosticSource.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.ServiceProcess.ServiceController.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Encodings.Web.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Json.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\de\Microsoft.Win32.TaskScheduler.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\es\Microsoft.Win32.TaskScheduler.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\it\Microsoft.Win32.TaskScheduler.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\pl\Microsoft.Win32.TaskScheduler.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\ru\Microsoft.Win32.TaskScheduler.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\browser\lib\net6.0\System.Text.Encodings.Web.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.ServiceProcess.ServiceController.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll	0%	ReversingLabs
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll	0%	ReversingLabs

Name	Source	Malicious
https://ps.atera.com/installers/EO.WebBrowser/eo.webbrowser.22.1.42.nupkgX	AgentPackageTicketing.exe, 0000002D.00000002.3288600100.0000023D46BAF000.00000004.00000800.00020000.00000000.sdmp	false
https://atera-agent-heartbeat.servicebus.windows.net/agentheartbeat/messages	AgentPackageHeartbeat.exe, 0000003C.00000002.2818917909.0000019246AB1000.00000004.00000800.00020000.00000000.sdmp	false
https://agent-api.atera.com/Productio	AteraAgent.exe, 00000019.00000002.2852883567.000001E542C31000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.datacontract.org	AteraAgent.exe, 0000000D.00000002.2153248860.000001E2ABE09000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.ateH:	AteraAgent.exe, 00000019.00000002.2852883567.000001E543919000.00000004.00000800.00020000.00000000.sdmp	false
https://nlog-project.org/	AgentPackageMonitoring.exe, 00000021.00000002.2367814782.0000026E3F5D2000.00000002.00000001.01000000.00000021.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2368505293.0000026E3F6A8000.00000002.00000001.01000000.00000021.sdmp	false
https://agent-api.atera.com/Production/Agent/track-event	rundll32.exe, 00000005.00000002.2078628555.0000000004CB1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2078628555.0000000004D54000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2200238195.0000000004477000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2200238195.00000000043D1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000032.00000002.2753876487.0000000004611000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000032.00000002.2753876487.00000000046B4000.00000004.00000800.00020000.00000000.sdmp	false
https://aka.ms/dotnet/app-launch-failed	Agent.Package.Watchdog.exe, 00000038.00000002.2709175078.000001E861C9C000.00000004.00000020.00020000.00000000.sdmp, Agent.Package.Watchdog.exe, 00000038.00000000.2704651850.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 00000038.00000002.2714164300.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 0000003F.00000000.2776315978.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 0000003F.00000002.2779712552.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 0000003F.00000002.2778689991.0000027604788000.00000004.00000020.00020000.00000000.sdmp	false
http://dl.google.com/googletalk/googletalk-setup.exe	AgentPackageAgentInformation.exe, 00000013.00000000.2229421092.00000267BA2B2000.00000002.00000001.01000000.00000016.sdmp	false
http://repository.swisssign.com/0	AteraAgent.exe, 0000000E.00000002.2589449099.000001CFF44A5000.00000004.00000020.00020000.00000000.sdmp	false
https://ps.ateHB	AteraAgent.exe, 00000019.00000002.2852883567.000001E543928000.00000004.00000800.00020000.00000000.sdmp	false
HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/36.9/AGENTPACKAGEMONITORING.ZIP	AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC62000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp	false
https://agent-api.PJ	AgentPackageAgentInformation.exe, 0000001C.00000002.3183499015.000001630A289000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=907b2fa1-39bf-44d6-a0bf-6b8493a99cb5	AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC58000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.datacontract.org/2004/07/System.ServiceProcess	AteraAgent.exe, 0000000D.00000002.2153248860.000001E2ABE09000.00000004.00000800.00020000.00000000.sdmp	false
https://my.splashtop.com/csrs/win	AgentPackageSTRemote.exe, 00000029.00000000.2612366668.000002695CE12000.00000002.00000001.01000000.00000029.sdmp	false
http://wixtoolset.org	rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004DB7000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi	false
HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.AVAILABILITY/0.16/AGENT.PACKAGE.AVAILABILITY.Z	AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543756000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip	AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB89E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB80C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D18000.00000004.00000800.00020000.00000000.sdmp	false
HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEHEARTBEAT/17.14/AGENTPACKAGEHEARTBEAT.ZIP	AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp	false
https://agent-api.atera.com/Production/Agent/track-event;	rundll32.exe, 00000005.00000002.2078628555.0000000004D96000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2200238195.00000000044B6000.00000004.00000800.00020000.00000000.sdmp	false
https://nuget.org/nuget.exe	powershell.exe, 00000025.00000002.2717163049.00000206770FE000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2615805731.0000020668A58000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2997229161.0000028690072000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2997229161.00000286901B5000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/37.2/AgentPackageAgentInformati	AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBB78000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D18000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller	AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB80C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB7E8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D00000.00000004.00000800.00020000.00000000.sdmp	false
http://acontrol.atera.com/	AteraAgent.exe, 0000000D.00000000.2098028173.000001E2AA112000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB791000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542C31000.00000004.00000800.00020000.00000000.sdmp	false
https://agent-api.atera.com/Production/Agent/dynamic-fields/	AgentPackageAgentInformation.exe, 0000001C.00000002.3183499015.000001630A289000.00000004.00000800.00020000.00000000.sdmp	false
https://agent-api.P0	AteraAgent.exe, 00000019.00000002.2852883567.000001E543A2A000.00000004.00000800.00020000.00000000.sdmp	false
https://agent-api.atera.com/Production/Agent/agentMonitoredDevices/f59f3442-6117-4640-8aae-6ef22eb1a	AgentPackageInternalPoller.exe, 00000034.00000002.2734005619.000001F433280000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip	AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB89E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB7E8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D18000.00000004.00000800.00020000.00000000.sdmp	false
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	rundll32.exe, 00000005.00000002.2078628555.0000000004CB1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2078628555.0000000004D54000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB791000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2200238195.0000000004477000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2200238195.00000000043D1000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2248887172.00000267BABD3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2260910212.0000024E000BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542C31000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3183499015.000001630A289000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3183499015.000001630A041000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2362218873.0000026E26DCD000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2615805731.0000020667091000.00000004.00000800.00020000.00000000.sdmp, AgentPackageUpgradeAgent.exe, 00000027.00000002.2948323551.000001E45CB41000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000029.00000002.3285991937.000002695D788000.00000004.00000800.00020000.00000000.sdmp, AgentPackageTicketing.exe, 0000002D.00000002.3288600100.0000023D46B31000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000032.00000002.2753876487.0000000004611000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000032.00000002.2753876487.00000000046B4000.00000004.00000800.00020000.00000000.sdmp, AgentPackageInternalPoller.exe, 00000034.00000002.2734005619.000001F433280000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000036.00000002.2718929915.0000028680001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageHeartbeat.exe, 0000003C.00000002.2818917909.0000019246AB1000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/26.6/AgentPackageSystemTools.zip?r3S	AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp	false
HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGERUNTIMEINSTALLER/1.6/AGENTPACKAGERUNTIMEINSTALLE	AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543640000.00000004.00000800.00020000.00000000.sdmp	false
http://my.splashtop.com	AgentPackageSTRemote.exe, 00000029.00000002.3285991937.000002695D8D4000.00000004.00000800.00020000.00000000.sdmp	false
HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEPROGRAMMANAGEMENT/23.0/AGENTPACKAGEPROGRAMMANAGE	AteraAgent.exe, 00000019.00000002.2852883567.000001E542D6A000.00000004.00000800.00020000.00000000.sdmp	false
http://pesterbdd.com/images/Pester.png	powershell.exe, 00000036.00000002.2718929915.0000028680233000.00000004.00000800.00020000.00000000.sdmp	false
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 00000036.00000002.2718929915.0000028680233000.00000004.00000800.00020000.00000000.sdmp	false
http://microsoft.co	rundll32.exe, 00000005.00000002.2079122206.0000000007470000.00000004.00000020.00020000.00000000.sdmp	false
https://atera-agent-heartbeat.servicebus.windows.net/	AgentPackageHeartbeat.exe, 0000003C.00000002.2818917909.0000019246AB1000.00000004.00000800.00020000.00000000.sdmp	false
https://westeurope-5.in.applicationinsights.azure.com/;LiveEndpoint=https://westeurope.livediagnosti	AgentPackageTicketing.exe, 0000002D.00000002.3285143958.0000023D46872000.00000002.00000001.01000000.00000049.sdmp	false
https://contoso.com/Icon	powershell.exe, 00000036.00000002.2997229161.00000286901B5000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageAg	AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB89E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA0C000.00000004.00000800.00020000.00000000.sdmp	false
https://download.splashtop.com	AgentPackageSTRemote.exe, 00000029.00000002.3285991937.000002695D930000.00000004.00000800.00020000.00000000.sdmp	false
https://aka.ms/dotnet/app-launch-failed&gui=trueShowing	Agent.Package.Watchdog.exe, 00000038.00000000.2704651850.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 00000038.00000002.2714164300.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 0000003F.00000000.2776315978.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 0000003F.00000002.2779712552.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp	false
https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip	AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB89E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB80C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB7E8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D00000.00000004.00000800.00020000.00000000.sdmp	false
http://www.symauth.com/cps0(	stvideo.dll.2.dr	false
https://agent-api.atera.com	rundll32.exe, 00000004.00000003.2032629720.0000000004B02000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2078628555.0000000004CB1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000002.2078628555.0000000004D54000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.000000000498B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004AD5000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB791000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBB33000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBBBD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA4E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC62000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC4B000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2200238195.0000000004477000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000002.2200238195.00000000043D1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004328000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2248887172.00000267BABD3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2260910212.0000024E000BF000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A2A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3183499015.000001630A25A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3183499015.000001630A289000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3183499015.000001630A0DE000.00000004.00000800.00020000.00000000.sdmp	false
https://github.com/dotnet/runtimeu	Microsoft.Extensions.Hosting.dll.25.dr	false
https://www.nuget.org/packages/NLog.Web.AspNetCore	AgentPackageMonitoring.exe, 00000021.00000002.2367814782.0000026E3F5D2000.00000002.00000001.01000000.00000021.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2368505293.0000026E3F6A8000.00000002.00000001.01000000.00000021.sdmp	false
https://github.com/Pester/Pester	powershell.exe, 00000036.00000002.2718929915.0000028680233000.00000004.00000800.00020000.00000000.sdmp	false
http://www.w3.oh	AteraAgent.exe, 0000000D.00000002.2153248860.000001E2ABE09000.00000004.00000800.00020000.00000000.sdmp	false
https://agent-api.atera.com/Production/Agent/GetCommands	AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB89E000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.2/AgentPackageA	AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBAF4000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/27.7/AgentPackageTicketing.zip	AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB89E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D18000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=b4d66385-ea77-44cf-9415-7e56999fc7a2	AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBB33000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip?r3SRub	AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp	false
http://www.symauth.com/rpa00	stvideo.dll.2.dr	false
http://schemas.xmlsoap.org/wsdl/	powershell.exe, 00000025.00000002.2615805731.00000206679C5000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000025.00000002.2615805731.00000206672B8000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip?r3SRub	AteraAgent.exe, 00000019.00000002.2852883567.000001E543756000.00000004.00000800.00020000.00000000.sdmp	false
http://nlog-project.org/ws/	AgentPackageMonitoring.exe, 00000021.00000002.2367814782.0000026E3F5D2000.00000002.00000001.01000000.00000021.sdmp	false
http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT	AgentPackageMonitoring.exe, 00000021.00000002.2367814782.0000026E3F5D2000.00000002.00000001.01000000.00000021.sdmp	false
https://ps.atera.com/a	AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC62000.00000004.00000800.00020000.00000000.sdmp	false
https://urn.to/r/sds_see	AgentPackageMonitoring.exe, 00000021.00000002.2369122956.0000026E3F772000.00000002.00000001.01000000.00000023.sdmp	false
https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.	AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB80C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB7E8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D00000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.39/AgentPackageMonitoring.z	AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC62000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.ateHj	AteraAgent.exe, 00000019.00000002.2852883567.000001E543638000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=7bc29546-b52f-485b-8762-cf4656a15e80	AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBBBD000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip	AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC62000.00000004.00000800.00020000.00000000.sdmp	false
https://my.splashtop.com	AgentPackageSTRemote.exe, 00000029.00000002.3285991937.000002695D840000.00000004.00000800.00020000.00000000.sdmp	false
https://system.data.sqlite.org/X	AgentPackageMonitoring.exe, 00000021.00000002.2369410283.0000026E3F7D4000.00000002.00000001.01000000.00000023.sdmp	false
http://crl.securetrust.com/SGCA.crl0	AteraAgent.exe, 0000000E.00000002.2584991032.000001CFF3F74000.00000004.00000020.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesmac/AgentPackageWindowsUpdate/24.6/A	AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB7E8000.00000004.00000800.00020000.00000000.sdmp	false
http://www.abit.com.tw/	AgentPackageMonitoring.exe, 00000021.00000002.2361215633.0000026E26AF2000.00000002.00000001.01000000.0000001E.sdmp	false
https://agent-api.atera.com/Production/Agent/recurringCommandResult	AgentPackageAgentInformation.exe, 0000001C.00000002.3183499015.000001630A25A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001C.00000002.3183499015.000001630A1C0000.00000004.00000800.00020000.00000000.sdmp	false
https://aka.ms/dotnet-core-applaunch?	Agent.Package.Watchdog.exe, 00000038.00000000.2704651850.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 00000038.00000002.2714164300.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 0000003F.00000000.2776315978.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp, Agent.Package.Watchdog.exe, 0000003F.00000002.2779712552.00007FF69B46A000.00000002.00000001.01000000.00000036.sdmp	false
https://api.nuget.org	AgentPackageTicketing.exe, 0000002D.00000002.3288600100.0000023D46BAF000.00000004.00000800.00020000.00000000.sdmp	false
HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMARKETPLACE/1.4/AGENTPACKAGEMARKETPLACE.ZIP	AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp	false
https://github.com/dotnet/runtime	Microsoft.Extensions.Configuration.EnvironmentVariables.dll.25.dr, Microsoft.Extensions.Hosting.dll.25.dr	false
https://agent-api.atera.com/Production/Agent/AcknowledgeCommands	AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC4B000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/36.9/AgentPackageMonitoring.zip?r3SRu	AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC62000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp	false
http://crl.thawte.com/ThawteTimestampingCA.crl0	stvideo.dll.2.dr, hidkmdf.sys.2.dr	false
https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exe	AgentPackageSTRemote.exe, 00000029.00000002.3285991937.000002695D840000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000029.00000000.2612366668.000002695CE12000.00000002.00000001.01000000.00000029.sdmp	false
http://www.quovadisglobal.com/cps0	AteraAgent.exe, 0000000E.00000002.2593246742.000001CFF45DE000.00000004.00000020.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip	AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB80C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB7E8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D00000.00000004.00000800.00020000.00000000.sdmp	false
https://agent-api.atera.com/Production/Agent/CommandResultRecurring/AgentPackageTicketingInstallHelp	AgentPackageTicketing.exe, 0000002D.00000002.3273707942.0000023D4610F000.00000004.00000020.00020000.00000000.sdmp, AgentPackageTicketing.exe, 0000002D.00000002.3288600100.0000023D46B31000.00000004.00000800.00020000.00000000.sdmp	false
http://www.w3.o	AteraAgent.exe, 0000000D.00000002.2153248860.000001E2ABE09000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/37.2/AgentPackageAgentInformation	AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBB78000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/19.2/AgentPackageOsUpdates.zip?r3SRubn	AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp	false
https://github.com/JamesNK/Newtonsoft.Json	rundll32.exe, 00000004.00000003.2032629720.0000000004B33000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.2038794357.00000000049BC000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000006.00000003.2084104559.0000000004B06000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBA10000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000011.00000003.2158928933.0000000004359000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000013.00000002.2249659287.00000267D33D2000.00000002.00000001.01000000.00000019.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542E5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E543A2A000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 00000021.00000002.2368580202.0000026E3F6B2000.00000002.00000001.01000000.00000022.sdmp, AgentPackageUpgradeAgent.exe, 0000002B.00000002.2643531899.000002E01B6D0000.00000002.00000001.01000000.0000002C.sdmp, rundll32.exe, 00000031.00000003.2661038149.000000000465C000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000032.00000003.2668222570.00000000044ED000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000003A.00000003.2761236038.0000000004DB7000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll6.25.dr	false
https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip	AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB80C000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availa	AteraAgent.exe, 00000019.00000002.2852883567.000001E543756000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInst	AteraAgent.exe, 00000019.00000002.2852883567.000001E543640000.00000004.00000800.00020000.00000000.sdmp	false
https://github.com/mono/linker/issues/1416.	Microsoft.Extensions.Hosting.dll.25.dr	false
https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/26.8/AgentPackageUpgradeAgent.zip?r	AteraAgent.exe, 00000019.00000002.2852883567.000001E542D18000.00000004.00000800.00020000.00000000.sdmp	false
https://aka.ms/winsvr-2022-pshelpX	powershell.exe, 00000025.00000002.2615805731.00000206686C8000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/26.8/AgentPackageUpgradeAgent.zip	AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDB89E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000019.00000002.2852883567.000001E542D18000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.pndsn	AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBBD4000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC58000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBB33000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBBBD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBB46000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000E.00000002.2559206056.000001CFDBC62000.00000004.00000800.00020000.00000000.sdmp	false
https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Wat	AteraAgent.exe, 00000019.00000002.2852883567.000001E543756000.00000004.00000800.00020000.00000000.sdmp	false
https://www.sqlite.org/copyright.html2	AgentPackageMonitoring.exe, 00000021.00000002.2380051125.00007FF8A0404000.00000002.00000001.01000000.0000001B.sdmp, SQLite.Interop.dll.14.dr	false
https://api.nuget.org/v3-flatcontainer/eo.webbrowser/22.1.42/eo.webbrowser.22.1.42.nupkg	AgentPackageTicketing.exe, 0000002D.00000002.3285143958.0000023D46872000.00000002.00000001.01000000.00000049.sdmp, AgentPackageTicketing.exe, 0000002D.00000002.3288600100.0000023D46BAF000.00000004.00000800.00020000.00000000.sdmp	false
HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENT.PACKAGE.WATCHDOG/1.5/AGENT.PACKAGE.WATCHDOG.ZIP	AteraAgent.exe, 00000019.00000002.2852883567.000001E543756000.00000004.00000800.00020000.00000000.sdmp	false

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
40.119.152.241	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true
93.184.221.240	unknown	European Union	15133	EDGECASTUS	false
35.157.63.227	unknown	United States	16509	AMAZON-02US	false
35.157.63.229	unknown	United States	16509	AMAZON-02US	false
143.204.68.86	unknown	United States	16509	AMAZON-02US	false
20.86.89.202	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
18.239.69.54	unknown	United States	16509	AMAZON-02US	false
192.229.221.95	unknown	United States	15133	EDGECASTUS	false
152.199.23.209	unknown	United States	15133	EDGECASTUS	false
20.60.197.1	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
52.223.39.232	unknown	United States	8987	AMAZONEXPANSIONGB	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1484988
Start date and time:	2024-07-30 22:27:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 14m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	75
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winMSI@109/686@0/11
EGA Information:	Successful, ratio: 16.7%
HCA Information:	Successful, ratio: 66% Number of executed functions: 486 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .msi

Warnings

Exclude process from analysis (whitelisted): Conhost.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe
Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 4676 because it is empty
Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 5344 because it is empty
Execution Graph export aborted for target AgentPackageAgentInformation.exe, PID 6460 because it is empty
Execution Graph export aborted for target AteraAgent.exe, PID 1684 because it is empty
Execution Graph export aborted for target AteraAgent.exe, PID 2704 because it is empty
Execution Graph export aborted for target AteraAgent.exe, PID 3292 because it is empty
Execution Graph export aborted for target rundll32.exe, PID 1268 because it is empty
Execution Graph export aborted for target rundll32.exe, PID 2360 because it is empty
Execution Graph export aborted for target rundll32.exe, PID 2520 because it is empty
Execution Graph export aborted for target rundll32.exe, PID 7124 because it is empty
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtSetValueKey calls found.
Skipping network analysis since amount of network traffic is too extensive
VT rate limit hit for: SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi

Simulations

Behavior and APIs

Time	Type	Description
16:28:01	API Interceptor	3x Sleep call for process: rundll32.exe modified
16:28:06	API Interceptor	1581x Sleep call for process: AteraAgent.exe modified
16:28:18	API Interceptor	47x Sleep call for process: AgentPackageAgentInformation.exe modified
16:28:27	API Interceptor	18x Sleep call for process: AgentPackageMonitoring.exe modified
16:28:52	API Interceptor	23x Sleep call for process: powershell.exe modified
16:28:56	API Interceptor	13516x Sleep call for process: AgentPackageSTRemote.exe modified
16:29:00	API Interceptor	3230x Sleep call for process: AgentPackageTicketing.exe modified
16:29:10	API Interceptor	17x Sleep call for process: AgentPackageHeartbeat.exe modified
16:29:26	API Interceptor	7x Sleep call for process: AgentPackageUpgradeAgent.exe modified
22:28:55	Task Scheduler	Run new task: Monitoring Recovery path: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe s>schedulerrun

Process:	C:\Windows\System32\msiexec.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	145968
Entropy (8bit):	5.874150428357998
Encrypted:	false
SSDEEP:	3072:bk/SImWggsVz8TzihTmmrG/GOXYsqRK3ybTXzpUTQM9/FMp:ISWB/YrRK3yb37
MD5:	477293F80461713D51A98A24023D45E8
SHA1:	E9AA4E6C514EE951665A7CD6F0B4A4C49146241D
SHA-256:	A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2
SHA-512:	23F3BD44A5FB66BE7FEA3F7D6440742B657E4050B565C1F8F4684722502D46B68C9E54DCC2486E7DE441482FCC6AA4AD54E94B1D73992EB5D070E2A17F35DE2F
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...O..e.........."...0.............f$... ...@....@.. ...............................1....`..................................$..O....@..,...............0(...`......."............................................... ............... ..H............text...\|.... ...................... ..`.rsrc...,....@......................@..@.reloc.......`......................@..B................H$......H.......(...D4..........l!..p.............................................{.....0..N........~......,.~.....+:(.......~....(........(....#.......@....,.(.....+.~.....+.....0..;........(.......(.....1.(.......(........+....,.~.....+.~.....+....0..6........~....%-.&~..........s....%.....s ......o!.....o".......0..O........(...........~#...r...po$..........,..rG..ps%...z.rO..p.....(&....~.....o'....*..0..>........~#...r...po(............,'.~#...r...po$............,.rG..ps%...

Process:	C:\Windows\SysWOW64\rundll32.exe
File Type:	CSV text
Category:	dropped
Size (bytes):	651
Entropy (8bit):	5.343677015075984
Encrypted:	false
SSDEEP:	12:Q3La/KDLI4MWuPTAOKbbDLI4MWuPJKAVKhaOK9eDLI4MNJK9P/JNTK9yiv:ML9E4KlKDE4KhKiKhPKIE4oKNzKoM
MD5:	7EEF860682F76EC7D541A8C1A3494E3D
SHA1:	58D759A845D2D961A5430E429EF777E60C48C87E
SHA-256:	65E958955AC5DBB7D7AD573EB4BB36BFF4A1DC52DD16CF79A5F7A0FA347727F1
SHA-512:	BF7767D55F624B8404240953A726AA616D0CE60EC1B3027710B919D6838EFF7281A79B49B22AB8B065D8CA921EF4D09017A0991CB4A21DAF09B3B43E6698CB04
Malicious:	false
Reputation:	unknown
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	0.34726597513537405
Encrypted:	false
SSDEEP:	3:Nlll:Nll
MD5:	446DD1CF97EABA21CF14D03AEBC79F27
SHA1:	36E4CC7367E0C7B40F4A8ACE272941EA46373799
SHA-256:	A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
SHA-512:	A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
Malicious:	false
Reputation:	unknown
Preview:	@...e...........................................................

File type:	Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: AteraAgent, Author: Atera networks, Keywords: Installer, Comments: This installer database contains the logic and data required to install AteraAgent., Template: Intel;1033, Revision Number: {721AD955-79FD-4019-BBF5-9DCC4C1175BB}, Create Time/Date: Wed Feb 28 10:52:02 2024, Last Saved Time/Date: Wed Feb 28 10:52:02 2024, Number of Pages: 200, Number of Words: 6, Name of Creating Application: Windows Installer XML Toolset (3.11.2.4516), Security: 2
Entropy (8bit):	7.878683353071712
TrID:	Microsoft Windows Installer (60509/1) 57.88% ClickyMouse macro set (36024/1) 34.46% Generic OLE2 / Multistream Compound File (8008/1) 7.66%
File name:	SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi
File size:	2'994'176 bytes
MD5:	46a75de058e385dd2682950f346f943b
SHA1:	61213bed0ef6103cfbb95772bde3d2206cba2c06
SHA256:	21c84b112b3f5c7bfa77f10353397d17feb3d2b991f66129a3ca70014e6389a6
SHA512:	0b4541645d00abaa757136e96fb51fc109c3c5e7c8b40096da57cb9766eaa6f735aa1cd44befb220681f1b020acd1d5ba75c9fb1f62a60b9cd26da9513f27818
SSDEEP:	49152:i+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:i+lUlz9FKbsodq0YaH7ZPxMb8tT
TLSH:	C4D523117584483AE37B0A358D7AD6A05E7DFE605B70CA8E9308741E2E705C1AB76F73
File Content Preview:	........................>......................................................................................................................................................................................................................................

Target ID:	0
Start time:	16:27:54
Start date:	30/07/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi"
Imagebase:	0x7ff752510000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	3
Start time:	16:27:55
Start date:	30/07/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding FBC342A8ABDF04038F10EFC029C1656D
Imagebase:	0xee0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	4
Start time:	16:27:56
Start date:	30/07/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Windows\Installer\MSI2852.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5908796 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
Imagebase:	0xef0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000004.00000003.2032629720.0000000004B02000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Target ID:	5
Start time:	16:27:57
Start date:	30/07/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Windows\Installer\MSI2EAC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5910218 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
Imagebase:	0xef0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000002.2078628555.0000000004CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000002.2078628555.0000000004D54000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000005.00000003.2038794357.000000000498B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	true

Target ID:	7
Start time:	16:28:02
Start date:	30/07/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\syswow64\MsiExec.exe -Embedding B756259567EEAEDF13A18B94143184C3 E Global\MSI0000
Imagebase:	0xee0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	12
Start time:	16:28:03
Start date:	30/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	14
Start time:	16:28:08
Start date:	30/07/2024
Path:	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
Imagebase:	0x1cfdae60000
File size:	145'968 bytes
MD5 hash:	477293F80461713D51A98A24023D45E8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2559206056.000001CFDBC48000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2559206056.000001CFDBB30000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2589449099.000001CFF43E8000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2559206056.000001CFDBEC4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2556640926.000001CFDAF28000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2559206056.000001CFDB89E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2559206056.000001CFDB791000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2589449099.000001CFF43E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2559206056.000001CFDB926000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2559206056.000001CFDBB33000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2559206056.000001CFDBA56000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2595880171.000001CFF4906000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2559206056.000001CFDB7E8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2559206056.000001CFDBBBD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2559206056.000001CFDBA4E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2559206056.000001CFDBAF4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2589449099.000001CFF4448000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2556602593.000001CFDAF10000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2559206056.000001CFDBA10000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2559206056.000001CFDBC0C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2558947208.000001CFDB220000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2559206056.000001CFDBC62000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2559206056.000001CFDBBBA000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2555505411.000000155C2F5000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2556640926.000001CFDAF5A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2559206056.000001CFDBD95000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2584991032.000001CFF3FAC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2559206056.000001CFDB814000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2559206056.000001CFDBC4B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2593246742.000001CFF45CA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2584991032.000001CFF404E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2559206056.000001CFDBB78000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2589449099.000001CFF4423000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2589449099.000001CFF447F000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2556640926.000001CFDAF20000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2559206056.000001CFDBDC7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2589449099.000001CFF44A5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000000E.00000002.2556640926.000001CFDAFA5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Target ID:	17
Start time:	16:28:09
Start date:	30/07/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Windows\Installer\MSI5DC1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5922250 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
Imagebase:	0xef0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000011.00000002.2200238195.0000000004477000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000011.00000002.2200238195.00000000043D1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000011.00000003.2158928933.0000000004328000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Target ID:	19
Start time:	16:28:16
Start date:	30/07/2024
Path:	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "f3f8c138-efff-44a7-8aff-78b661b79ea9" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KZFzxIAH
Imagebase:	0x267ba2b0000
File size:	176'176 bytes
MD5 hash:	ACCE8B17DE63299AA4D5CB7D709BEEDC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2247425634.00000267BA3A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2248418409.00000267BA590000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2248887172.00000267BABC3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2248721633.00000267BAAC2000.00000002.00000001.01000000.00000018.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2248887172.00000267BAB51000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2247425634.00000267BA3EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2247425634.00000267BA3A5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2248887172.00000267BABD3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000000.2229421092.00000267BA2B2000.00000002.00000001.01000000.00000016.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000013.00000002.2247425634.00000267BA360000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security Rule: JoeSecurity_GenericDownloader_1, Description: Yara detected Generic Downloader, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Target ID:	21
Start time:	16:28:17
Start date:	30/07/2024
Path:	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "97d527e2-ace6-4af1-87ff-fd0bb84d12a8" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KZFzxIAH
Imagebase:	0x24e7bf80000
File size:	176'176 bytes
MD5 hash:	ACCE8B17DE63299AA4D5CB7D709BEEDC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2266447306.0000024E7C400000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2260910212.0000024E00047000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2264872270.0000024E7C050000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2260910212.0000024E00073000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2260910212.0000024E00001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2264872270.0000024E7C059000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2260910212.0000024E00083000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2260910212.0000024E000BF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2264872270.0000024E7C08D000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2264872270.0000024E7C0D7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000015.00000002.2264872270.0000024E7C098000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Target ID:	23
Start time:	16:28:19
Start date:	30/07/2024
Path:	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "93138382-7cb2-4c66-b5a0-34a2c11202fd" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000KZFzxIAH
Imagebase:	0x1b6689c0000
File size:	176'176 bytes
MD5 hash:	ACCE8B17DE63299AA4D5CB7D709BEEDC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2264112406.000001B668C30000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2264112406.000001B668CBC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2260286662.000001B600083000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2264112406.000001B668C38000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2264036436.000001B668C20000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2260286662.000001B600073000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2264112406.000001B668C6C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000017.00000002.2260286662.000001B600001000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Target ID:	28
Start time:	16:28:20
Start date:	30/07/2024
Path:	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "31b88dde-1623-4466-adb0-05f466efd2ea" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000KZFzxIAH
Imagebase:	0x163095f0000
File size:	176'176 bytes
MD5 hash:	ACCE8B17DE63299AA4D5CB7D709BEEDC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.3174174470.00000163096D3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.3244506065.0000016322B42000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.3183499015.000001630A25A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.3174174470.0000016309699000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.3183499015.000001630A257000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.3181429809.00000163099F0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.3219024041.00000163227B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.3174174470.00000163096CD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.3183499015.000001630A289000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.3183499015.000001630A0DE000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.3183499015.000001630A31F000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.3183499015.000001630A1B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.3228082364.0000016322892000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.3183499015.000001630A285000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.3174174470.000001630971B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.3183499015.000001630A041000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.3174174470.0000016309690000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001C.00000002.3183499015.000001630A1C0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Target ID:	30
Start time:	16:28:21
Start date:	30/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Imagebase:	0x7ff7d8380000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2575534278.0000018C7FD30000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2575434147.0000018C7FB6B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000003.2274406570.0000018C7FD50000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2575434147.0000018C7FB83000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000001E.00000002.2575434147.0000018C7FB60000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Target ID:	33
Start time:	16:28:26
Start date:	30/07/2024
Path:	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "15ce275a-be83-4afa-bdcf-3f7d4cc3415d" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000KZFzxIAH
Imagebase:	0x26e261f0000
File size:	396'336 bytes
MD5 hash:	B50005A1A62AFA85240D1F65165856EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2359837565.0000026E262E0000.00000004.00000020.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2369780213.0000026E40655000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000000.2322894948.0000026E261F2000.00000002.00000001.01000000.0000001A.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2362218873.0000026E2727E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2362218873.0000026E26CE1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2369489506.0000026E40217000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2360088406.0000026E26550000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2360088406.0000026E26510000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2379942506.00007FF8A03F9000.00000004.00000001.01000000.0000001B.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2366710372.0000026E3F3A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2366710372.0000026E3F3FD000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2359986359.0000026E26460000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2360088406.0000026E26502000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2369527319.0000026E40415000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2360680043.0000026E26692000.00000002.00000001.01000000.0000001C.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2369676343.0000026E40426000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2360088406.0000026E264C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000021.00000002.2362218873.0000026E26DCD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, Author: Joe Security
Has exited:	true

Target ID:	36
Start time:	16:28:41
Start date:	30/07/2024
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Imagebase:	0x7ff7e52b0000
File size:	55'320 bytes
MD5 hash:	B7F884C1B74A263F746EE12A5F7C9F6A
Has elevated privileges:	true
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Has exited:	false

Target ID:	37
Start time:	16:28:51
Start date:	30/07/2024
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"powershell.exe" Set-ExecutionPolicy Bypass -Scope CurrentUser
Imagebase:	0x7ff7be880000
File size:	452'608 bytes
MD5 hash:	04029E121A0CFA5991749937DD22A1D9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2615805731.00000206678A3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2615805731.0000020668A11000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2609908643.0000020666550000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2615805731.00000206677A6000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2615805731.00000206686C8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2615805731.00000206679C5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2615805731.0000020668981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2615805731.00000206681C9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2615805731.00000206672B8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2615805731.00000206683AD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000025.00000002.2615805731.0000020668A58000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Target ID:	39
Start time:	16:28:53
Start date:	30/07/2024
Path:	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "d993a967-e5b2-425f-a13a-df33fb52e8f5" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000KZFzxIAH
Imagebase:	0x1e45c230000
File size:	52'272 bytes
MD5 hash:	6095B43FA565DA44E7A818CFB4BACBA2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2932952613.000000C28C743000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2936902415.000001E45C410000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2938598314.000001E45C453000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2947709393.000001E45C665000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2942637569.000001E45C4FC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2938598314.000001E45C49B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2999155152.000001E4753A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2938598314.000001E45C461000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2942637569.000001E45C4B4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2948323551.000001E45CCB7000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2936416893.000001E45C3E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.3002981073.000001E4753F1000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2948323551.000001E45CDC9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2948323551.000001E45CDB8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2938598314.000001E45C430000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.3002981073.000001E47543B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.2948323551.000001E45CB41000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.3002383624.000001E4753D9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000000.2594468379.000001E45C232000.00000002.00000001.01000000.00000027.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000027.00000002.3002981073.000001E4753E3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, Author: Joe Security
Has exited:	true

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

5a26d2.rbf (copy)

5a26d3.rbf (copy)

5a26d4.rbf (copy)

5a26d5.rbf (copy)

5a26d6.rbf (copy)

5a26d7.rbf (copy)

5a26d8.rbf (copy)

C:\Config.Msi\5a26cc.rbs

C:\Config.Msi\5a26d1.rbs

C:\Config.Msi\5a26d9.rbs

C:\Config.Msi\5a26dd.rbs

C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

Windows Analysis Report
SecuriteInfo.com.Program.RemoteAdminNET.1.1711.8851.msi

Target ID:	41
Start time:	16:28:55
Start date:	30/07/2024
Path:	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "4b2bcc99-0697-449c-87dd-e9f93a323079" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000KZFzxIAH
Imagebase:	0x2695ce10000
File size:	71'728 bytes
MD5 hash:	A86B9D7A0085275F89BBD0878DBDEE3B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.3274308757.000002695D07C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.3285991937.000002695D94A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.3274308757.000002695CFF0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.3274308757.000002695D039000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.3283401681.000002695D2E0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.3285991937.000002695D840000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.3274308757.000002695CFFC000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.3285991937.000002695D711000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000000.2612366668.000002695CE12000.00000002.00000001.01000000.00000029.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.3274308757.000002695D030000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.3355927161.00000269760CB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.3266806247.0000007FFB721000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000029.00000002.3285991937.000002695D788000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, Author: Joe Security
Has exited:	false

Target ID:	47
Start time:	16:28:59
Start date:	30/07/2024
Path:	C:\Windows\System32\msiexec.exe
Wow64 process (32bit):	false
Commandline:	"msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
Imagebase:	0x7ff752510000
File size:	69'632 bytes
MD5 hash:	E5DA170027542E25EDE42FC54C929077
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2924086021.000001E302300000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000003.2922053260.000001E3022FF000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000003.2875187580.000001E302270000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000002.2924328286.000001E302BE3000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000003.2921977102.000001E3022EB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000002F.00000003.2916707362.000001E302270000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Target ID:	51
Start time:	16:29:02
Start date:	30/07/2024
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"cmd.exe" /c powershell.exe -File "C:\Program Files (x86)\Microsoft Office\Office16\vNextDiag.ps1"
Imagebase:	0x7ff7d8380000
File size:	289'792 bytes
MD5 hash:	8A2122E8162DBEF04694B9C3E0B6CDEE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000003.2689661385.0000022086C40000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3089682303.00000220869B0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3089682303.00000220869BB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3089978922.0000022086C20000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000033.00000002.3089682303.00000220869D9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Target ID:	56
Start time:	16:29:04
Start date:	30/07/2024
Path:	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "9714075a-7bec-49a9-9497-61d2edb1cb2b" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ==" 001Q300000KZFzxIAH
Imagebase:	0x7ff69b450000
File size:	159'824 bytes
MD5 hash:	0B7534A49A757D7525F7FC966D6CAF5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2709175078.000001E861C9C000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 00000038.00000002.2709175078.000001E861C90000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Target ID:	58
Start time:	16:29:09
Start date:	30/07/2024
Path:	C:\Windows\SysWOW64\rundll32.exe
Wow64 process (32bit):	true
Commandline:	rundll32.exe "C:\Windows\Installer\MSI48FF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5982484 46 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
Imagebase:	0xef0000
File size:	61'440 bytes
MD5 hash:	889B99C52A60DD49227C5E485A016679
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003A.00000003.2761236038.0000000004D86000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Target ID:	63
Start time:	16:29:11
Start date:	30/07/2024
Path:	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" f59f3442-6117-4640-8aae-6ef22eb1ae8f "9714075a-7bec-49a9-9497-61d2edb1cb2b" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ==" 001Q300000KZFzxIAH
Imagebase:	0x7ff69b450000
File size:	159'824 bytes
MD5 hash:	0B7534A49A757D7525F7FC966D6CAF5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2778689991.0000027604788000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AteraAgent, Description: Yara detected AteraAgent, Source: 0000003F.00000002.2778689991.0000027604780000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Has exited:	true

Target ID:	141
Start time:	16:29:44
Start date:	30/07/2024
Path:	C:\Windows\System32\Conhost.exe
Wow64 process (32bit):
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Has exited:	false

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may move onto systems, possibly those on disconnected or air-gapped networks, by copying malware to removable media and taking advantage of Autorun features when the media is inserted into a system and executes. In the case of Lateral Movement, this may occur through modification of executable files stored on removable media or by copying malware and renaming it to look like a legitimate file to trick users into executing it on a separate system. In the case of Initial Access, this may occur through manual manipulation of the media, modification of systems used to initially format the media, or modification to the media's firmware itself.
Tactics:	Initial Access, Lateral Movement
Data Sources:	Drive: Drive Creation, File: File Access, File: File Creation, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre