Windows Analysis Report
ALVARA-072.msi

Overview

General Information

Sample name:	ALVARA-072.msi
Analysis ID:	1542082
MD5:	a232621b778a64163b77169820ad579e
SHA1:	252a8e0aa905aa1880161ab53aaeb54e345991a8
SHA256:	8c684bf0b13e4bc010d63490bd53593cd627be43e8178117c80e4b836881dad6
Tags:	msiuser-Porcupine
Infos:

Detection

AteraAgent

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

System process connects to network (likely due to code injection or exploit)

Yara detected AteraAgent

AI detected suspicious sample

Changes security center settings (notifications, updates, antivirus, firewall)

Creates files in the system32 config directory

Enables network access during safeboot for specific services

Installs Task Scheduler Managed Wrapper

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)

Query firmware table information (likely to detect VMs)

Reads the Security eventlog

Reads the System eventlog

Sample is not signed and drops a device driver

Yara detected Generic Downloader

AV process strings found (often used to terminate AV products)

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates driver files

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Is looking for software installed on the system

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains sections with non-standard names

PE file does not import any functions

Queries disk information (often used to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the product ID of Windows

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Stores files to the Windows start menu directory

Stores large binary data to the registry

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Uses net.exe to stop services

Uses taskkill to terminate processes

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: ALVARA-072.msi

ReversingLabs: Detection: 23%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.1% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028D4BC0 CryptAcquireContextW,GetLastError,CryptReleaseContext,CryptReleaseContext,CryptReleaseContext,	42_2_00007FFB028D4BC0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028D4E20 CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptEncrypt,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,CryptDestroyHash,	42_2_00007FFB028D4E20
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028D4DE0 CryptReleaseContext,	42_2_00007FFB028D4DE0

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Http.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Numerics.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Serialization.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.Primitives.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Configuration.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Intrinsics.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\msquic.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.Client.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Primitives.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-interlocked-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Sockets.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceModel.Web.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceProcess.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encodings.Web.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\WindowsBase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-debug-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.AccessControl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.DriveInfo.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-localization-l1-2-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Channels.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebProxy.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Expressions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.MemoryMappedFiles.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Primitives.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.AccessControl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-stdio-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.TypeConverter.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Numerics.Vectors.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.ILGeneration.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Primitives.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ObjectModel.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Xml.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\dbgshim.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l2-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.HttpListener.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Formats.Asn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Cng.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-timezone-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Json.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XDocument.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.Lightweight.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscorlib.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebClient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.Linq.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-string-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XPath.XDocument.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordbi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l1-2-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.InteropServices.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Immutable.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Extensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.NetworkInformation.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.UnmanagedMemoryStream.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.TraceSource.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-environment-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-2-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-heap-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.IsolatedStorage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-util-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-runtime-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Mail.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Ping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Claims.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Console.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\createdump.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.DataAnnotations.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.ZipFile.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Process.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.HttpUtility.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-memory-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.Win32.Primitives.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.DiagnosticSource.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebHeaderCollection.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Dynamic.Runtime.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Requests.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-conio-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Extensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.Extensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.VisualBasic.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\hostpolicy.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Formatters.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Transactions.Local.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\.version	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Drawing.Primitives.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clrjit.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.ReaderWriter.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Dataflow.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Annotations.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clretwrc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Parallel.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Memory.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-math-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.DiaSymReader.Native.amd64.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.NonGeneric.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.Extensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Tools.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.TypeExtensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-time-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Linq.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.DataContractSerialization.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Handles.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.Reader.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.Native.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ValueTuple.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.NETCore.App.runtimeconfig.json	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Metadata.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-datetime-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Data.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.CSharp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.ResourceManager.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XmlSerializer.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.NETCore.App.deps.json	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Primitives.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Csp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-private-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.OpenSsl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore_amd64_amd64_6.0.3524.45918.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Json.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.AccessControl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Quic.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.StackTrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.Windows.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\ucrtbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Encoding.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Queryable.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Windows.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Overlapped.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.CodePages.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscorrc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.DispatchProxy.dll	Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\InstallUtil.InstallLog
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\license.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\license.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\license.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\license.txt	Jump to behavior

Source:	Binary string: C:\CodeBases\isdev\Redist\Language Independent\i386\ISSetup.pdb source: MSI58CE.tmp.6.dr
Source:	Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 0000002A.00000002.1846265525.00000195FFCE2000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 00000014.00000000.1383292218.0000021EC66A2000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 0000001A.00000002.1656716822.000001E308252000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: c:\winddk\7600.16385.1\src\setup\difxapi\difxcmd\objfre_win7_amd64\amd64\DIFxCmd.pdb source: DIFxCmd64.exe0.6.dr
Source:	Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 0000002A.00000002.1853799028.00000195FFDA2000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: d:\svn\sr01\tim\dev\win32\stvideo\mirror\objfre_win7_x86\i386\stmirror.pdbx source: stmirror.dll.6.dr
Source:	Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 0000002A.00000002.1854313005.00000195FFE12000.00000002.00000001.01000000.00000025.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.InteropServices\4.1.2.0\System.Runtime.InteropServices.pdb source: System.Runtime.InteropServices.dll.30.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.InteropServices\4.1.2.0\System.Runtime.InteropServices.pdbH5b5 T5_CorDllMainmscoree.dll source: System.Runtime.InteropServices.dll.30.dr
Source:	Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 0000002A.00000002.1843534702.00000195FF392000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.ReaderWriter\4.1.1.0\System.Xml.ReaderWriter.pdb source: System.Xml.ReaderWriter.dll.30.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net6.0\System.Diagnostics.DiagnosticSource.pdb source: System.Diagnostics.DiagnosticSource.dll4.30.dr
Source:	Binary string: c:\winddk\7600.16385.1\src\setup\difxapi\difxcmd\objfre_win7_amd64\amd64\DIFxCmd.pdbH source: DIFxCmd64.exe0.6.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 0000000A.00000003.1297756832.0000000004CDE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000444C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\21\obj\Microsoft.ApplicationInsights\Release\src\Microsoft.ApplicationInsights\net45\Microsoft.ApplicationInsights.pdb source: Microsoft.ApplicationInsights.dll3.30.dr
Source:	Binary string: D:\A\_work\39\s\bin\obj\Windows_NT.AnyCPU.Release\System.Runtime.InteropServices.RuntimeInformation\net45\System.Runtime.InteropServices.RuntimeInformation.pdb source: System.Runtime.InteropServices.RuntimeInformation.dll.22.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Extensions\net6.0-Release\System.Reflection.Extensions.pdb source: System.Reflection.Extensions.dll.6.dr
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 00000014.00000000.1383292218.0000021EC66A2000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Handles\net6.0-Release\System.Runtime.Handles.pdb source: System.Runtime.Handles.dll.6.dr
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: api-ms-win-core-console-l1-1-0.dll.6.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Requests\4.0.11.0\System.Net.Requests.pdbX)r) d)_CorDllMainmscoree.dll source: System.Net.Requests.dll.30.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: api-ms-win-core-util-l1-1-0.dll.6.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 00000016.00000002.2018950710.000001BCA8AB2000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 00000016.00000002.2018950710.000001BCA8AB2000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1855704329.00000195FFEF2000.00000002.00000001.01000000.00000026.sdmp, Newtonsoft.Json.dll.11.dr
Source:	Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 0000002A.00000002.1849997542.00000195FFD62000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: System.Private.Xml.ni.pdb source: System.Private.Xml.dll.6.dr
Source:	Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 0000002A.00000002.1854313005.00000195FFE12000.00000002.00000001.01000000.00000025.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 0000001A.00000000.1623145179.000001E307E92000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 0000002A.00000002.1846265525.00000195FFCE2000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: d:\slave\workspace\GIT_WIN_SRS_Formal\Source\irisserver\Release\SRUnPackFile.pdb source: SplashtopStreamer.exe, 0000002F.00000000.1908546863.000000000042E000.00000002.00000001.01000000.00000027.sdmp, SplashtopStreamer.exe, 0000002F.00000002.2290517618.000000000042E000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000A.00000003.1297756832.0000000004CDE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000444C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.EnvironmentVariables/Release/net6.0/Microsoft.Extensions.Configuration.EnvironmentVariables.pdbSHA256 source: Microsoft.Extensions.Configuration.EnvironmentVariables.dll.30.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XDocument\net6.0-Release\System.Xml.XDocument.pdbt+ source: System.Xml.XDocument.dll.6.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1658228362.000001E320FA2000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2372308158.0000026AE0B70000.00000002.00000001.01000000.0000002C.sdmp
Source:	Binary string: d:\slave\workspace\GIT_WIN_SRS_Formal\Source\irisserver\Release\PreVerCheck.pdb source: PreVerCheck.exe, 00000030.00000000.1951833191.0000000000B83000.00000002.00000001.01000000.00000028.sdmp, PreVerCheck.exe, 00000030.00000002.2274094246.0000000000B83000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XmlDocument\4.0.3.0\System.Xml.XmlDocument.pdb source: System.Xml.XmlDocument.dll.30.dr
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.EnvironmentVariables/Release/net6.0/Microsoft.Extensions.Configuration.EnvironmentVariables.pdb source: Microsoft.Extensions.Configuration.EnvironmentVariables.dll.30.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1658228362.000001E320FA2000.00000002.00000001.01000000.0000001B.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2372308158.0000026AE0B70000.00000002.00000001.01000000.0000002C.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1855704329.00000195FFEF2000.00000002.00000001.01000000.00000026.sdmp, Newtonsoft.Json.dll.11.dr
Source:	Binary string: d:\svn\sr01\tim\dev\win32\stvideo\mirror\objfre_win7_x86\i386\stmirror.pdb source: stmirror.dll.6.dr
Source:	Binary string: t.pdbpdb source: AteraAgent.exe, 00000016.00000002.2010230473.000001BCA833C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe.22.dr
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: ALVARA-072.msi
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Globalization.Extensions\net6.0-Release\System.Globalization.Extensions.pdb source: System.Globalization.Extensions.dll.6.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 0000000A.00000003.1297756832.0000000004CDE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000444C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 0000002A.00000002.1843534702.00000195FF392000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Security.Cryptography.Algorithms/netfx\System.Security.Cryptography.Algorithms.pdb source: System.Security.Cryptography.Algorithms.dll.30.dr
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 0000001A.00000002.1656716822.000001E308252000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: W.pdb$Gs0 source: PreVerCheck.exe, 00000030.00000002.2274351905.0000000000B95000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XDocument\net6.0-Release\System.Xml.XDocument.pdb source: System.Xml.XDocument.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbcccGCTL source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: api-ms-win-core-console-l1-1-0.dll.6.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Requests\4.0.11.0\System.Net.Requests.pdb source: System.Net.Requests.dll.30.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Principal\4.0.1.0\System.Security.Principal.pdb source: System.Security.Principal.dll.30.dr
Source:	Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 0000002A.00000002.1866616915.00007FFB02A1A000.00000002.00000001.01000000.0000001E.sdmp, SQLite.Interop.dll.22.dr
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 00000014.00000002.1439315934.0000021EE0D02000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net6.0\System.Diagnostics.DiagnosticSource.pdbSHA256 source: System.Diagnostics.DiagnosticSource.dll4.30.dr
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 00000014.00000002.1439315934.0000021EE0D02000.00000002.00000001.01000000.00000012.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECE90000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 0000002A.00000002.1853799028.00000195FFDA2000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: ALVARA-072.msi
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Xml\net6.0-windows-Release\System.Private.Xml.pdb source: System.Private.Xml.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Extensions\net6.0-Release\System.Reflection.Extensions.pdbD)^) P)_CorDllMainmscoree.dll source: System.Reflection.Extensions.dll.6.dr

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: d:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\lib\
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\node_modules\
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\node_modules\async\lib\
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\node_modules\async\
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB581873h	20_2_00007FFAAB58172D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB581FFFh	20_2_00007FFAAB581FAC
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB581A44h	20_2_00007FFAAB581A34
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB584ECBh	22_2_00007FFAAB584C41
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB581873h	22_2_00007FFAAB580C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB581A44h	22_2_00007FFAAB580C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB581FFFh	22_2_00007FFAAB580C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB58227Bh	22_2_00007FFAAB580C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB59B982h	22_2_00007FFAAB59B81C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB59B982h	22_2_00007FFAAB59B92F
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB584ECBh	22_2_00007FFAAB584DC8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB581FFFh	22_2_00007FFAAB581EB6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB594ECBh	30_2_00007FFAAB594C41
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB591873h	30_2_00007FFAAB590C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB591A44h	30_2_00007FFAAB590C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB591FFFh	30_2_00007FFAAB590C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB59227Bh	30_2_00007FFAAB590C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB5BDB18h	30_2_00007FFAAB5BD8BB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB5AC1A2h	30_2_00007FFAAB5ABE46
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB5BD45Fh	30_2_00007FFAAB5BD3BB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB594ECBh	30_2_00007FFAAB594DC8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB591FFFh	30_2_00007FFAAB591EB6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB5AC1A2h	30_2_00007FFAAB5ABE50
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB7B2EE0h	30_2_00007FFAAB7B2C5C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB7B4859h	30_2_00007FFAAB7B4754
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then dec eax	30_2_00007FFAAB7B1FB5

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 40.119.152.241 443

Enables network access during safeboot for specific services

Source: C:\Windows\SysWOW64\msiexec.exe

Registry value created: NULL Service

Yara detected Generic Downloader

Source: Yara match	File source: 26.0.AgentPackageAgentInformation.exe.1e307e90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\choco.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED

Source: AteraAgent.exe, 0000001E.00000002.2521265011.0000026280651000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEADREMOTE/6.0/AGENTPACKAGEADREMOTE.ZIP
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEAGENTINFORMATION/37.9/AGENTPACKAGEAGENTINFORMATI
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/37.8/AGENTPACKAGEMONITORING.ZIP
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESTREMOTE/23.4/AGENTPACKAGESTREMOTE.ZIP
Source: AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC8425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a6dc35606b2c6816e.awsglobalaccelerator.com
Source: AteraAgent.exe, 00000014.00000000.1383292218.0000021EC66A2000.00000002.00000001.01000000.00000010.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8F9F1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acontrol.atera.com/
Source: rundll32.exe, 0000000B.00000002.1350402891.0000000004C35000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1525650157.0000000004805000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1656982282.000001E30884F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808D3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309D5F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309DB2000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309D21000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.0000019580582000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D68059D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://agent-api.atera.com
Source: rundll32.exe, 0000000B.00000002.1350402891.0000000004C35000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1525650157.0000000004805000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1656982282.000001E30884F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808D3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309D5F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309DB2000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309D21000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.0000019580582000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D68059D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://atera-agent-api-eu.westeurope.cloudapp.azure.com
Source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCert
Source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredG
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, ALVARA-072.msi, ISRT.dll.50.dr, swresample-2.dll.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2019752036.000001BCA8BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2010230473.000001BCA8260000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2010230473.000001BCA8305000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9005B000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECE90000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF23000.00000004.00000020.00020000.00000000.sdmp, PreVerCheck.exe, 00000030.00000002.2274351905.0000000000B95000.00000002.00000001.01000000.00000028.sdmp, ALVARA-072.msi, Microsoft.ApplicationInsights.dll3.30.dr, SQLite.Interop.dll.22.dr, System.Net.Requests.dll.30.dr, System.Xml.XmlDocument.dll.30.dr, Microsoft.Extensions.Configuration.EnvironmentVariables.dll.30.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, ALVARA-072.msi, ISRT.dll.50.dr, swresample-2.dll.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTr
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FCAA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9001C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8738000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC90158000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262805DE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262807F8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280651000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1439568660.0000021EE0EE2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1436215584.0000021EC844A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2019752036.000001BCA8BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2010230473.000001BCA8260000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8738000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2018336227.000001BCA8862000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86FB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2014420654.000001BCA86AA000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFFE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9005B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECEFE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECE90000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF23000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF41000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC84C3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC84D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStam
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86FB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9005B000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF23000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF41000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC84C3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC8443000.00000004.00000800.00020000.00000000.sdmp, PreVerCheck.exe, 00000030.00000002.2274351905.0000000000B95000.00000002.00000001.01000000.00000028.sdmp, ALVARA-072.msi, Microsoft.ApplicationInsights.dll3.30.dr, SQLite.Interop.dll.22.dr, System.Net.Requests.dll.30.dr, System.Xml.XmlDocument.dll.30.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: AteraAgent.exe, 00000016.00000002.2019752036.000001BCA8BC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.cr
Source: AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000002.1904346626.000002B9A6BC8000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1859138989.000002B9A6BCB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2010230473.000001BCA8260000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8738000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2014420654.000001BCA86AA000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2010230473.000001BCA82F4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2014420654.000001BCA869B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9005B000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1658449420.000001E3210E2000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1658449420.000001E3210BB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2561782268.00000262ECB2A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2561782268.00000262ECB8E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2561782268.00000262ECAED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, ALVARA-072.msi	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: stmirror.dll.6.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: AteraAgent.exe, 0000001E.00000002.2561782268.00000262ECB8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.B
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2019752036.000001BCA8BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2010230473.000001BCA8260000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2010230473.000001BCA8305000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9005B000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECE90000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF23000.00000004.00000020.00020000.00000000.sdmp, PreVerCheck.exe, 00000030.00000002.2274351905.0000000000B95000.00000002.00000001.01000000.00000028.sdmp, ALVARA-072.msi, Microsoft.ApplicationInsights.dll3.30.dr, SQLite.Interop.dll.22.dr, System.Net.Requests.dll.30.dr, System.Xml.XmlDocument.dll.30.dr, Microsoft.Extensions.Configuration.EnvironmentVariables.dll.30.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, ALVARA-072.msi, ISRT.dll.50.dr, swresample-2.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, ALVARA-072.msi	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0BE6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0C1A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1439568660.0000021EE0EB2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2014420654.000001BCA8670000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86F1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8738000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1439568660.0000021EE0EE2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1436215584.0000021EC844A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2019752036.000001BCA8BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FCAA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9001C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2010230473.000001BCA8260000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8738000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC90158000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2018336227.000001BCA8862000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86FB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2014420654.000001BCA86AA000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFFE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9005B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECEFE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262805DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: AteraAgent.exe, 00000014.00000002.1439568660.0000021EE0EB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlA
Source: AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8738000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlU
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlf
Source: AteraAgent.exe, 00000016.00000002.1962237945.000001BC8F41B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlhttp://crl4.digicert.co
Source: AteraAgent.exe, 00000016.00000002.2014420654.000001BCA8670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crli
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlx.
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86FB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9005B000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF23000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF41000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC84C3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC8443000.00000004.00000800.00020000.00000000.sdmp, PreVerCheck.exe, 00000030.00000002.2274351905.0000000000B95000.00000002.00000001.01000000.00000028.sdmp, ALVARA-072.msi, Microsoft.ApplicationInsights.dll3.30.dr, SQLite.Interop.dll.22.dr, System.Net.Requests.dll.30.dr, System.Xml.XmlDocument.dll.30.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRoot
Source: AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: System.Runtime.InteropServices.dll.30.dr, swresample-2.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlK
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlL
Source: AteraAgent.exe, 00000014.00000002.1439568660.0000021EE0E90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlQ
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, ALVARA-072.msi	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0BE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/l
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, ALVARA-072.msi, ISRT.dll.50.dr, swresample-2.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0C3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlrlCache
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0C3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedRootG4.crlocalLow
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0BE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/;
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, ALVARA-072.msi, ISRT.dll.50.dr, swresample-2.dll.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AteraAgent.exe, 00000016.00000002.2014420654.000001BCA8670000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FCAA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86F1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9001C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8738000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC90158000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262805DE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECE90000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262807F8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280651000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1439568660.0000021EE0EE2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1436215584.0000021EC844A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2019752036.000001BCA8BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2010230473.000001BCA8260000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8738000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2018336227.000001BCA8862000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86FB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2014420654.000001BCA86AA000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFFE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9005B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECEFE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECE90000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF23000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF41000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC84C3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC84D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8738000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlS
Source: AteraAgent.exe, 00000014.00000002.1439568660.0000021EE0EB2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2014420654.000001BCA8670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlU
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0C1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlk
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0C1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlr
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0C1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlz
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, ALVARA-072.msi	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, ALVARA-072.msi, ISRT.dll.50.dr, swresample-2.dll.6.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0C3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8738000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en(
Source: AteraAgent.exe, 00000016.00000002.2014420654.000001BCA8670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: AteraAgent.exe, 00000016.00000002.2014420654.000001BCA86AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabD
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1899940408.000002B9A6157000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1899940408.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1899940408.000002B9A612E000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000002.1903388695.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000002.1903388695.000002B9A6157000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000002.1903191367.000002B9A6133000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1962237945.000001BC8F41B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: SIHClient.exe, 00000015.00000002.1903388695.000002B9A61ED000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1900768839.000002B9A61ED000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1899940408.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000002.1903388695.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1c0d79d
Source: SIHClient.exe, 00000015.00000003.1899940408.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000002.1903388695.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8ab881d
Source: SIHClient.exe, 00000015.00000003.1899940408.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000002.1903388695.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?b4935a9
Source: AteraAgent.exe, 00000016.00000002.1962237945.000001BC8F41B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8738000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f192ee6
Source: AteraAgent.exe, 00000016.00000002.2010230473.000001BCA833C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cabi
Source: SIHClient.exe, 00000015.00000003.1871209003.000002B9A6BD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/x
Source: SIHClient.exe, 00000015.00000003.1899940408.000002B9A6157000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000002.1903388695.000002B9A6157000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1c0d
Source: AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC8467000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://d17kmd0va0f0mp.cloudfront.net
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.000002628078B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://d25btwd9wax8gu.cloudfront.net
Source: AgentPackageAgentInformation.exe, 0000001A.00000000.1623145179.000001E307E92000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://dl.google.com/googletalk/googletalk-setup.exe
Source: AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC8467000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.splashtop.com
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1841781096.00000195FEB9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.c
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1841781096.00000195FEB9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.ctain
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: rundll32.exe, 0000000D.00000002.1368900708.00000000025C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://msdn.micros
Source: AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC8425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://my.splashtop.com
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1854313005.00000195FFE12000.00000002.00000001.01000000.00000025.sdmp	String found in binary or memory: http://nlog-project.org/dummynamespace/
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1854313005.00000195FFE12000.00000002.00000001.01000000.00000025.sdmp	String found in binary or memory: http://nlog-project.org/ws/
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1854313005.00000195FFE12000.00000002.00000001.01000000.00000025.sdmp	String found in binary or memory: http://nlog-project.org/ws/3
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1854313005.00000195FFE12000.00000002.00000001.01000000.00000025.sdmp	String found in binary or memory: http://nlog-project.org/ws/5
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1854313005.00000195FFE12000.00000002.00000001.01000000.00000025.sdmp	String found in binary or memory: http://nlog-project.org/ws/ILogReceiverOneWayServer/ProcessLogMessages
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1854313005.00000195FFE12000.00000002.00000001.01000000.00000025.sdmp	String found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesResponsep
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1854313005.00000195FFE12000.00000002.00000001.01000000.00000025.sdmp	String found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1854313005.00000195FFE12000.00000002.00000001.01000000.00000025.sdmp	String found in binary or memory: http://nlog-project.org/ws/T
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert
Source: AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8855000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8738000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86FB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: AteraAgent.exe, 00000016.00000002.2014420654.000001BCA8670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1439568660.0000021EE0EE2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1436215584.0000021EC844A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2019752036.000001BCA8BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FCAA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9001C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2010230473.000001BCA8260000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8738000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC90158000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2018336227.000001BCA8862000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86FB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2014420654.000001BCA86AA000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFFE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9005B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECEFE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262805DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000002.1904346626.000002B9A6BC8000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1859138989.000002B9A6BCB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2019752036.000001BCA8BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2010230473.000001BCA8260000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8738000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2014420654.000001BCA86AA000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2010230473.000001BCA82F4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2014420654.000001BCA869B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9005B000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1658449420.000001E3210E2000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1658449420.000001E3210BB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2561782268.00000262ECB2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2019752036.000001BCA8BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2010230473.000001BCA8260000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2010230473.000001BCA8305000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9005B000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECE90000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF23000.00000004.00000020.00020000.00000000.sdmp, PreVerCheck.exe, 00000030.00000002.2274351905.0000000000B95000.00000002.00000001.01000000.00000028.sdmp, ALVARA-072.msi, Microsoft.ApplicationInsights.dll3.30.dr, SQLite.Interop.dll.22.dr, System.Net.Requests.dll.30.dr, System.Xml.XmlDocument.dll.30.dr, Microsoft.Extensions.Configuration.EnvironmentVariables.dll.30.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, ALVARA-072.msi	String found in binary or memory: http://ocsp.digicert.com0K
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, ALVARA-072.msi	String found in binary or memory: http://ocsp.digicert.com0N
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, ALVARA-072.msi, ISRT.dll.50.dr, Newtonsoft.Json.dll.11.dr, swresample-2.dll.6.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86FB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9005B000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF23000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF41000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC84C3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC8443000.00000004.00000800.00020000.00000000.sdmp, PreVerCheck.exe, 00000030.00000002.2274351905.0000000000B95000.00000002.00000001.01000000.00000028.sdmp, ALVARA-072.msi, Microsoft.ApplicationInsights.dll3.30.dr, SQLite.Interop.dll.22.dr, System.Net.Requests.dll.30.dr, System.Xml.XmlDocument.dll.30.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECE90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRS
Source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECE90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com3
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0BE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0BC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECE90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
Source: AteraAgent.exe, 00000016.00000002.2010230473.000001BCA833C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: AteraAgent.exe, 00000016.00000002.2010230473.000001BCA8305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crlL
Source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crlNF
Source: AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.como
Source: stmirror.dll.6.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE95000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.000002628078B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ps.atera.com
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ps.pndsn.com
Source: stmirror.dll.6.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: stmirror.dll.6.dr	String found in binary or memory: http://s2.symcb.com0
Source: AteraAgent.exe, 00000014.00000002.1436215584.0000021EC844A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org
Source: AteraAgent.exe, 00000014.00000002.1436215584.0000021EC844A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: AteraAgent.exe, 00000014.00000002.1436215584.0000021EC844A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1854313005.00000195FFE12000.00000002.00000001.01000000.00000025.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: rundll32.exe, 0000000B.00000002.1350402891.0000000004B71000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1350402891.0000000004C14000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8F9F1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1525650157.00000000047E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1525650157.0000000004741000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1656982282.000001E3087A3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309D8F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309B61000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC8348000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D6801D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: svchost.exe, 00000008.00000002.2517766907.000002260C718000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2516935504.000002260BE87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd
Source: stmirror.dll.6.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: stmirror.dll.6.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: stmirror.dll.6.dr	String found in binary or memory: http://sv.symcd.com0&
Source: stmirror.dll.6.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: stmirror.dll.6.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: stmirror.dll.6.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, ALVARA-072.msi	String found in binary or memory: http://wixtoolset.org
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004CDE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000444C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004CDE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000444C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/news/
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004CDE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000444C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/releases/
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1844382186.00000195FFB42000.00000002.00000001.01000000.00000021.sdmp	String found in binary or memory: http://www.abit.com.tw/
Source: svchost.exe, 00000000.00000002.1367392212.000001FE52A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FCAA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9001C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC90158000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262805DE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262807F8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280651000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1439568660.0000021EE0EE2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1436215584.0000021EC844A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2019752036.000001BCA8BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2010230473.000001BCA8260000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8738000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2018336227.000001BCA8862000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86FB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2014420654.000001BCA86AA000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFFE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9005B000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECEFE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECE90000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: ISRT.dll.50.dr	String found in binary or memory: http://www.flexerasoftware.com0
Source: stmirror.dll.6.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: stmirror.dll.6.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: AteraAgent.exe, 00000014.00000002.1436215584.0000021EC844A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: AteraAgent.exe, 00000014.00000002.1436215584.0000021EC844A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.oh
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309D8F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309DF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.P
Source: rundll32.exe, 0000000B.00000002.1350402891.0000000004C14000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1525650157.00000000047E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.aterD
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004CDE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1350402891.0000000004B71000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1350402891.0000000004C14000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FA8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8F9F1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1525650157.00000000047E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1525650157.0000000004741000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000444C000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1656982282.000001E3087A3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309D5F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309D8F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309D21000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309B61000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D6801D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004CDE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1350402891.0000000004B71000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1350402891.0000000004C14000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1525650157.00000000047E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1525650157.0000000004741000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000444C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309DF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Prhp
Source: AgentPackageAgentInformation.exe, 0000001A.00000002.1656982282.000001E3087A3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309D5F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309D21000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D6801D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004CDE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1350402891.0000000004B71000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1350402891.0000000004C14000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FA8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1525650157.00000000047E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1525650157.0000000004741000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000444C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommands
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FAA1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting
Source: AgentPackageAgentInformation.exe, 0000001A.00000002.1656982282.000001E3087A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResult
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FA74000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FAA1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8F9F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetEnvironmentStatusP
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8F9F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages
Source: AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/Trace
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309D8F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309D8F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309B61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/script-based
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309DF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/guiComm
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309BF3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309DF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/guiCommandResult
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309D5F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309D21000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D6801D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/recurringCommandResult
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/thresholds/69d31729-b40a-4033-aac0-eb6fc5db2da4
Source: rundll32.exe, 0000000B.00000002.1350402891.0000000004B71000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1350402891.0000000004C14000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1525650157.00000000047E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1525650157.0000000004741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event
Source: rundll32.exe, 0000000B.00000002.1350402891.0000000004C56000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1525650157.0000000004826000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event;
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.comPJ:
Source: Microsoft.ApplicationInsights.dll3.30.dr	String found in binary or memory: https://agent.azureserviceprofiler.net/
Source: Microsoft.ApplicationInsights.dll3.30.dr	String found in binary or memory: https://agent.azureserviceprofiler.net/p
Source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?You
Source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed&gui=trueShowing
Source: svchost.exe, 00000000.00000003.1366514019.000001FE52A57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367600632.000001FE52A58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: stmirror.dll.6.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: stmirror.dll.6.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Microsoft.ApplicationInsights.dll3.30.dr	String found in binary or memory: https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Nhttps://agent.azureservi
Source: Microsoft.ApplicationInsights.dll3.30.dr	String found in binary or memory: https://dc.services.visualstudio.com/api/profiles/
Source: Microsoft.ApplicationInsights.dll3.30.dr	String found in binary or memory: https://dc.services.visualstudio.com/f
Source: svchost.exe, 00000000.00000003.1366514019.000001FE52A57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367600632.000001FE52A58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000000.00000003.1366226363.000001FE52A62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367762852.000001FE52A70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367565275.000001FE52A42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366488749.000001FE52A41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366468559.000001FE52A5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367689430.000001FE52A63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366090562.000001FE52A6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000002.1367762852.000001FE52A70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366090562.000001FE52A6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000000.00000003.1366514019.000001FE52A57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367600632.000001FE52A58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000000.00000003.1366148291.000001FE52A67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000000.00000002.1367762852.000001FE52A70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366090562.000001FE52A6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000000.00000003.1366514019.000001FE52A57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367600632.000001FE52A58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000000.00000003.1366226363.000001FE52A62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366468559.000001FE52A5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367689430.000001FE52A63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367392212.000001FE52A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000003.1366514019.000001FE52A57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367600632.000001FE52A58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000000.00000002.1367721502.000001FE52A68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366148291.000001FE52A67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367392212.000001FE52A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000000.00000003.1366514019.000001FE52A57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367600632.000001FE52A58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000000.00000003.1366514019.000001FE52A57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367600632.000001FE52A58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000000.00000003.1366514019.000001FE52A57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367600632.000001FE52A58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000000.00000003.1366226363.000001FE52A62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367689430.000001FE52A63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367392212.000001FE52A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000000.00000002.1367565275.000001FE52A42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366488749.000001FE52A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000000.00000003.1366514019.000001FE52A57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367600632.000001FE52A58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000000.00000003.1366226363.000001FE52A62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367689430.000001FE52A63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC844B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.splashtop.com
Source: AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC844B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC8447000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC8425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.splashtop.com/csrs/Splashtop_Streamer_Win_DEPLOY_INSTALLER_v3.7.2.0.exe
Source: svchost.exe, 00000000.00000003.1366488749.000001FE52A41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366551950.000001FE52A46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&
Source: svchost.exe, 00000000.00000002.1367392212.000001FE52A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000000.00000003.1366488749.000001FE52A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000000.00000003.1366226363.000001FE52A62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367689430.000001FE52A63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000000.00000002.1367565275.000001FE52A42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366488749.000001FE52A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000000.00000002.1367392212.000001FE52A24000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366392855.000001FE52A5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000000.00000003.1366514019.000001FE52A57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367600632.000001FE52A58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000000.00000003.1263751454.000001FE52A36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000000.00000002.1367721502.000001FE52A68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366148291.000001FE52A67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367392212.000001FE52A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1658228362.000001E320FA2000.00000002.00000001.01000000.0000001B.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2372308158.0000026AE0B70000.00000002.00000001.01000000.0000002C.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1855704329.00000195FFEF2000.00000002.00000001.01000000.00000026.sdmp, Newtonsoft.Json.dll.11.dr	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: Microsoft.Extensions.Configuration.EnvironmentVariables.dll.30.dr, System.Globalization.Extensions.dll.6.dr, System.Xml.XDocument.dll.6.dr, System.Reflection.Extensions.dll.6.dr, System.Runtime.Handles.dll.6.dr, System.Diagnostics.DiagnosticSource.dll4.30.dr	String found in binary or memory: https://github.com/dotnet/runtime
Source: AteraAgent.exe, 00000016.00000002.2018950710.000001BCA8AB2000.00000002.00000001.01000000.0000002A.sdmp	String found in binary or memory: https://github.com/icsharpcode/SharpZipLib
Source: AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC8348000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC8420000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://my.splashtop.com
Source: AgentPackageSTRemote.exe, 00000027.00000000.1719532308.0000026AC7A52000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: https://my.splashtop.com/csrs/win
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1855595180.00000195FFEE8000.00000002.00000001.01000000.00000025.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1854313005.00000195FFE12000.00000002.00000001.01000000.00000025.sdmp	String found in binary or memory: https://nlog-project.org/
Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe.22.dr	String found in binary or memory: https://packagesstore.blob.core.windows.net/installers/BitDefender/rmm.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280651000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/a
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/ag
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageA
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAPJ:
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FDC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAg
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAgePWs
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FDB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAgentI
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.40/AgentPackageMonitoring.z
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FDB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageSTRemote/2.3/AgentPackageSTRemote.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FDC2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageSTRemote/2.3/AgentPackageSTRemote.ziph
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FA47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FA47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FDB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/37.9/AgentPackageAgentInformation
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/37.8/AgentPackageMonitoring.ziph
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FDB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/23.4/AgentPackageSTRemote.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FDC2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/23.4/AgentPackageSTRemote.ziph
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FA47000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.z
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FA47000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280651000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
Source: AteraAgent.exe, 0000001E.00000002.2521265011.0000026280651000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip?vjfcGOVmNg
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FDB3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FBB9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/37.9/AgentPackageAgentInformati
Source: AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip
Source: AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip?vjfcGO
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zipPJ:
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.z
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip
Source: AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip?vjfc
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip?vjfcG
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.ziph
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscove
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/20.0/AgentPackageOsUpdates.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/25.5/AgentPackageProgramManage
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalle
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FDB3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/23.4/AgentPackageSTRemote.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/23.4/AgentPackageSTRemote.zip?vjfcGOVmN
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FDC2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/23.4/AgentPackageSTRemote.ziph
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.5/AgentPackageSystemTools.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/29.7/AgentPackageTicketing.zip
Source: AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/29.7/AgentPackageTicketing.zip?vjfcGOV
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.2/AgentPackageUpgradeAgent.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FA47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FA47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FDB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformation
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitoring.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FDB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zip
Source: AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC8348000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000000.1719532308.0000026AC7A52000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exe
Source: AgentPackageSTRemote.exe, 00000027.00000000.1719532308.0000026AC7A52000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exepUsers/Shared/Splashtop
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.comPJ:
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE9F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE95000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FF9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE9F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE95000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FAA1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FF9E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280064000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FBB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0d23ecbb-a7a2-4184-a8c4-0ffbd57aa78a
Source: AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=105f79d9-b6d4-4745-93f9-3790e78d1c47
Source: AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2ef5182b-e380-4bc6-8494-9de225acfe47
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=509b9b12-9651-4c7f-b3da-14c180413b65
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FAA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=6b180f86-e86f-427f-abfa-7e52c44e970c
Source: AteraAgent.exe, 0000001E.00000002.2521265011.0000026280064000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=6db2fbc3-30a8-44b6-bcc5-0f0d2cada185
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=a6413c82-8e99-48ec-a2d4-e6f4f0149a43
Source: AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c5af13b3-0733-40df-b53d-614184c81015
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=d3a7f0b3-a012-422d-88bd-e648955eb258
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=db6c8ef5-4254-44d9-ad48-433b42b75a5a
Source: AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/69d31729
Source: AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/subscrib
Source: AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/69d31729-b40a-4033-aac0
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.comPJ:
Source: Microsoft.ApplicationInsights.dll3.30.dr	String found in binary or memory: https://rt.services.visualstudio.com/p
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1853799028.00000195FFDA2000.00000002.00000001.01000000.00000024.sdmp	String found in binary or memory: https://system.data.sqlite.org/
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1854204840.00000195FFE04000.00000002.00000001.01000000.00000024.sdmp	String found in binary or memory: https://system.data.sqlite.org/X
Source: svchost.exe, 00000000.00000003.1366488749.000001FE52A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000000.00000003.1366551950.000001FE52A46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000000.00000003.1366551950.000001FE52A46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000000.00000002.1367392212.000001FE52A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000000.00000003.1366514019.000001FE52A57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367600632.000001FE52A58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000000.00000003.1366514019.000001FE52A57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367600632.000001FE52A58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1853799028.00000195FFDA2000.00000002.00000001.01000000.00000024.sdmp	String found in binary or memory: https://urn.to/r/sds_see
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, ALVARA-072.msi, ISRT.dll.50.dr, swresample-2.dll.6.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr	String found in binary or memory: https://www.newtonsoft.com/json
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1855595180.00000195FFEE8000.00000002.00000001.01000000.00000025.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1854313005.00000195FFE12000.00000002.00000001.01000000.00000025.sdmp	String found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1658228362.000001E320FA2000.00000002.00000001.01000000.0000001B.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2372308158.0000026AE0B70000.00000002.00000001.01000000.0000002C.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1855704329.00000195FFEF2000.00000002.00000001.01000000.00000026.sdmp, Newtonsoft.Json.dll.11.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: PreVerCheck.exe, 00000030.00000002.2274351905.0000000000B95000.00000002.00000001.01000000.00000028.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: AgentPackageMonitoring.exe	String found in binary or memory: https://www.sqlite.org/copyright.html
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1867120506.00007FFB02A64000.00000002.00000001.01000000.0000001E.sdmp, SQLite.Interop.dll.22.dr	String found in binary or memory: https://www.sqlite.org/copyright.html2

Drops certificate files (DER)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AteraAgent
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AlphaAgent
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security

Reads the System eventlog

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

Creates driver files

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sys

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\67ee33.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEF9A.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF846.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC3D.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI145C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI146C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1567.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1662.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\67ee35.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\67ee35.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI30E1.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\67ee36.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC4.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI142.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{B7C5EA94-B96A-41F5-BE95-25D78B486678}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI27C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1CEA.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI243E.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\67ee39.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\67ee39.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI531F.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI58CE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6A63.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6E8A.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7215.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\67ee3b.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB549.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{C79F6EEC-3A2B-487D-A3B6-EDF4057B4E4B}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB6F0.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIEF9A.tmp-	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIEF9A.tmp-\AlphaControlAgentInstallation.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIEF9A.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIEF9A.tmp-\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIEF9A.tmp-\System.Management.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIEF9A.tmp-\CustomAction.config	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIF846.tmp-	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIF846.tmp-\AlphaControlAgentInstallation.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIF846.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIF846.tmp-\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIF846.tmp-\System.Management.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIF846.tmp-\CustomAction.config	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC3D.tmp-
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC3D.tmp-\AlphaControlAgentInstallation.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC3D.tmp-\Microsoft.Deployment.WindowsInstaller.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC3D.tmp-\Newtonsoft.Json.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC3D.tmp-\System.Management.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC3D.tmp-\CustomAction.config
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\InstallUtil.InstallLog
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA74182F76F15A9CF514DEF352303C95
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1A374813EDB1A6631387E414D3E73232
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1A374813EDB1A6631387E414D3E73232
Source: C:\Windows\System32\SIHClient.exe	File created: C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMPADF9.tmp
Source: C:\Windows\System32\SIHClient.exe	File created: C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMPA06.tmp
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI30E1.tmp-
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI30E1.tmp-\AlphaControlAgentInstallation.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI30E1.tmp-\Microsoft.Deployment.WindowsInstaller.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI30E1.tmp-\Newtonsoft.Json.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI30E1.tmp-\System.Management.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI30E1.tmp-\CustomAction.config
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
Source: C:\Windows\Temp\SplashtopStreamer.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\system32\SRC46CC.tmp
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\system32\SRC46CC.tmp

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIEF9A.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_3_06EF7678	11_3_06EF7678
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_3_06EF0040	11_3_06EF0040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_3_042450B8	13_3_042450B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_3_042459A8	13_3_042459A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_3_04244D68	13_3_04244D68
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 20_2_00007FFAAB58C922	20_2_00007FFAAB58C922
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 20_2_00007FFAAB58BB76	20_2_00007FFAAB58BB76
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 22_2_00007FFAAB5A1C0E	22_2_00007FFAAB5A1C0E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 22_2_00007FFAAB580C58	22_2_00007FFAAB580C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 22_2_00007FFAAB59C930	22_2_00007FFAAB59C930
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 22_2_00007FFAAB5A3890	22_2_00007FFAAB5A3890
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 22_2_00007FFAAB59CE90	22_2_00007FFAAB59CE90
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 22_2_00007FFAAB591CF0	22_2_00007FFAAB591CF0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 22_2_00007FFAAB589AF2	22_2_00007FFAAB589AF2
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 22_2_00007FFAAB59CF78	22_2_00007FFAAB59CF78
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 22_2_00007FFAAB591D58	22_2_00007FFAAB591D58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 22_2_00007FFAAB796C3C	22_2_00007FFAAB796C3C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 22_2_00007FFAAB7A55D0	22_2_00007FFAAB7A55D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_3_046F7678	25_3_046F7678
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_3_046F0040	25_3_046F0040
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 26_2_00007FFAAB59047D	26_2_00007FFAAB59047D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 26_2_00007FFAAB57FA94	26_2_00007FFAAB57FA94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 26_2_00007FFAAB5778D6	26_2_00007FFAAB5778D6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 26_2_00007FFAAB571828	26_2_00007FFAAB571828
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 26_2_00007FFAAB58100A	26_2_00007FFAAB58100A
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 26_2_00007FFAAB578682	26_2_00007FFAAB578682
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 26_2_00007FFAAB5712FB	26_2_00007FFAAB5712FB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 26_2_00007FFAAB5810C0	26_2_00007FFAAB5810C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 26_2_00007FFAAB57BDB0	26_2_00007FFAAB57BDB0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 28_2_00007FFAAB5812FA	28_2_00007FFAAB5812FA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB5B3CA0	30_2_00007FFAAB5B3CA0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB590C58	30_2_00007FFAAB590C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB5B1F94	30_2_00007FFAAB5B1F94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB5ACE90	30_2_00007FFAAB5ACE90
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB5A1D10	30_2_00007FFAAB5A1D10
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB5ACD70	30_2_00007FFAAB5ACD70
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB5B6460	30_2_00007FFAAB5B6460
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB59CC5D	30_2_00007FFAAB59CC5D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB5ACE20	30_2_00007FFAAB5ACE20
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB5A1D78	30_2_00007FFAAB5A1D78
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB5A93F6	30_2_00007FFAAB5A93F6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB5B52D3	30_2_00007FFAAB5B52D3
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB5AD388	30_2_00007FFAAB5AD388
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7B126E	30_2_00007FFAAB7B126E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7BD151	30_2_00007FFAAB7BD151
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7B9ED6	30_2_00007FFAAB7B9ED6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7BB719	30_2_00007FFAAB7BB719
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7A9E9D	30_2_00007FFAAB7A9E9D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7A943D	30_2_00007FFAAB7A943D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7B99D1	30_2_00007FFAAB7B99D1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7A6950	30_2_00007FFAAB7A6950
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7BD151	30_2_00007FFAAB7BD151
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7C10F2	30_2_00007FFAAB7C10F2
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7B8718	30_2_00007FFAAB7B8718
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7AAD61	30_2_00007FFAAB7AAD61
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB56FC5D	33_2_00007FFAAB56FC5D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB568956	33_2_00007FFAAB568956
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB56CE09	33_2_00007FFAAB56CE09
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB56C47F	33_2_00007FFAAB56C47F
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB5612FB	33_2_00007FFAAB5612FB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB5640F8	33_2_00007FFAAB5640F8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB561835	33_2_00007FFAAB561835
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB569702	33_2_00007FFAAB569702
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB5866B0	33_2_00007FFAAB5866B0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB575B31	33_2_00007FFAAB575B31
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB580098	33_2_00007FFAAB580098
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB57D350	33_2_00007FFAAB57D350
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB560730	33_2_00007FFAAB560730
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Code function: 39_2_00007FFAAB588476	39_2_00007FFAAB588476
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Code function: 39_2_00007FFAAB5852FA	39_2_00007FFAAB5852FA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Code function: 39_2_00007FFAAB58C865	39_2_00007FFAAB58C865
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Code function: 39_2_00007FFAAB586F59	39_2_00007FFAAB586F59
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Code function: 39_2_00007FFAAB5815FD	39_2_00007FFAAB5815FD
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Code function: 39_2_00007FFAAB5715FA	39_2_00007FFAAB5715FA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Code function: 39_2_00007FFAAB58F1D3	39_2_00007FFAAB58F1D3
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Code function: 39_2_00007FFAAB58F0C2	39_2_00007FFAAB58F0C2
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Code function: 39_2_00007FFAAB58F0D3	39_2_00007FFAAB58F0D3
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Code function: 39_2_00007FFAAB570838	39_2_00007FFAAB570838
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029F20E0	42_2_00007FFB029F20E0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02A001E0	42_2_00007FFB02A001E0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029F6960	42_2_00007FFB029F6960
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0294B880	42_2_00007FFB0294B880
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028E0330	42_2_00007FFB028E0330
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029622B0	42_2_00007FFB029622B0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02988310	42_2_00007FFB02988310
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028E2310	42_2_00007FFB028E2310
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0296A2F0	42_2_00007FFB0296A2F0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0295A0C0	42_2_00007FFB0295A0C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029640A0	42_2_00007FFB029640A0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0294C110	42_2_00007FFB0294C110
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02932240	42_2_00007FFB02932240
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0297C220	42_2_00007FFB0297C220
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028D2738	42_2_00007FFB028D2738
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028DE720	42_2_00007FFB028DE720
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028D8860	42_2_00007FFB028D8860
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02986860	42_2_00007FFB02986860
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0295A7E0	42_2_00007FFB0295A7E0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028CE80C	42_2_00007FFB028CE80C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028CA524	42_2_00007FFB028CA524
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02944550	42_2_00007FFB02944550
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0297E590	42_2_00007FFB0297E590
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029A6590	42_2_00007FFB029A6590
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029264A0	42_2_00007FFB029264A0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02910510	42_2_00007FFB02910510
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028D44DC	42_2_00007FFB028D44DC
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029FC680	42_2_00007FFB029FC680
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0297A5D0	42_2_00007FFB0297A5D0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029E05D0	42_2_00007FFB029E05D0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028C85D4	42_2_00007FFB028C85D4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029FE5B0	42_2_00007FFB029FE5B0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02940600	42_2_00007FFB02940600
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0293CB50	42_2_00007FFB0293CB50
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02918B90	42_2_00007FFB02918B90
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029AAB00	42_2_00007FFB029AAB00
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029F4C80	42_2_00007FFB029F4C80
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0296CC00	42_2_00007FFB0296CC00
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0291E990	42_2_00007FFB0291E990
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029188A0	42_2_00007FFB029188A0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028C28C0	42_2_00007FFB028C28C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029B6910	42_2_00007FFB029B6910
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028C8A3C	42_2_00007FFB028C8A3C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02908A60	42_2_00007FFB02908A60
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028E6A80	42_2_00007FFB028E6A80
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0298AA70	42_2_00007FFB0298AA70
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028D2F8C	42_2_00007FFB028D2F8C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028CCEA8	42_2_00007FFB028CCEA8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02909020	42_2_00007FFB02909020
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0295EFD0	42_2_00007FFB0295EFD0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0290AFB0	42_2_00007FFB0290AFB0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02A10D30	42_2_00007FFB02A10D30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02946D20	42_2_00007FFB02946D20
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02988D20	42_2_00007FFB02988D20
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029FCD60	42_2_00007FFB029FCD60
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0290ACD0	42_2_00007FFB0290ACD0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028D6CC0	42_2_00007FFB028D6CC0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02934D00	42_2_00007FFB02934D00
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02920E30	42_2_00007FFB02920E30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028ECE70	42_2_00007FFB028ECE70
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028C4DB4	42_2_00007FFB028C4DB4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0295D350	42_2_00007FFB0295D350
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028CF340	42_2_00007FFB028CF340
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0295B370	42_2_00007FFB0295B370
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028C3474	42_2_00007FFB028C3474
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028E93D0	42_2_00007FFB028E93D0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0299F3E0	42_2_00007FFB0299F3E0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02959170	42_2_00007FFB02959170
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029F50F0	42_2_00007FFB029F50F0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0293F220	42_2_00007FFB0293F220
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028CD284	42_2_00007FFB028CD284
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028C11B0	42_2_00007FFB028C11B0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0292F1B0	42_2_00007FFB0292F1B0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029D3200	42_2_00007FFB029D3200
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02967720	42_2_00007FFB02967720
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0291F780	42_2_00007FFB0291F780
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02A0F790	42_2_00007FFB02A0F790
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0290D770	42_2_00007FFB0290D770
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029B56D0	42_2_00007FFB029B56D0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029336E0	42_2_00007FFB029336E0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028DD830	42_2_00007FFB028DD830
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02A11840	42_2_00007FFB02A11840
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028C955C	42_2_00007FFB028C955C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028C74B0	42_2_00007FFB028C74B0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028CD634	42_2_00007FFB028CD634
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0292B647	42_2_00007FFB0292B647
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0290F630	42_2_00007FFB0290F630
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028D5640	42_2_00007FFB028D5640
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02961690	42_2_00007FFB02961690
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02927B30	42_2_00007FFB02927B30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029ADB80	42_2_00007FFB029ADB80
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028F5AD0	42_2_00007FFB028F5AD0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02963AF0	42_2_00007FFB02963AF0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02A03C20	42_2_00007FFB02A03C20
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02909BA0	42_2_00007FFB02909BA0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028EBBE0	42_2_00007FFB028EBBE0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029218DA	42_2_00007FFB029218DA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028ED910	42_2_00007FFB028ED910
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028F9A60	42_2_00007FFB028F9A60
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02977A60	42_2_00007FFB02977A60
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0292B9F0	42_2_00007FFB0292B9F0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028D7F30	42_2_00007FFB028D7F30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028F9F30	42_2_00007FFB028F9F30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02955F20	42_2_00007FFB02955F20
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0295FED0	42_2_00007FFB0295FED0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02967EA0	42_2_00007FFB02967EA0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02975EA0	42_2_00007FFB02975EA0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02943EB0	42_2_00007FFB02943EB0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028C7EC0	42_2_00007FFB028C7EC0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0291FEF0	42_2_00007FFB0291FEF0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02997D20	42_2_00007FFB02997D20
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0299DCC0	42_2_00007FFB0299DCC0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029ABCD0	42_2_00007FFB029ABCD0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02909CF0	42_2_00007FFB02909CF0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028D5E50	42_2_00007FFB028D5E50
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02907E70	42_2_00007FFB02907E70
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028F3E10	42_2_00007FFB028F3E10
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFAAB58ED6D	42_2_00007FFAAB58ED6D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFAAB585D0F	42_2_00007FFAAB585D0F
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFAAB58BD61	42_2_00007FFAAB58BD61
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFAAB58D28C	42_2_00007FFAAB58D28C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFAAB7A2BCF	42_2_00007FFAAB7A2BCF
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFAAB7AADD8	42_2_00007FFAAB7AADD8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFAAB7A2558	42_2_00007FFAAB7A2558
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFAAB7A24E8	42_2_00007FFAAB7A24E8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFAAB8B3C71	42_2_00007FFAAB8B3C71
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFAAB8B12CF	42_2_00007FFAAB8B12CF
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFAAB8B4D17	42_2_00007FFAAB8B4D17
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFAAB8B12FB	42_2_00007FFAAB8B12FB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFAAB8B0D15	42_2_00007FFAAB8B0D15

Found potential string decryption / allocating functions

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: String function: 00007FFB02A11B70 appears 102 times
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: String function: 00007FFB02A11D30 appears 114 times
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: String function: 00007FFB02A106B0 appears 145 times

PE file does not import any functions

Source: System.Net.Sockets.dll.6.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.6.dr	Static PE information: No import functions for PE file found
Source: System.Net.WebSockets.dll.6.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.6.dr	Static PE information: No import functions for PE file found
Source: System.Reflection.DispatchProxy.dll.6.dr	Static PE information: No import functions for PE file found
Source: mscorrc.dll.6.dr	Static PE information: No import functions for PE file found
Source: System.Net.Http.dll.6.dr	Static PE information: No import functions for PE file found
Source: System.Runtime.Numerics.dll.6.dr	Static PE information: No import functions for PE file found
Source: System.Net.WebSockets.Client.dll.6.dr	Static PE information: No import functions for PE file found
Source: System.IO.Pipes.dll.6.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.6.dr	Static PE information: No import functions for PE file found
Source: System.Net.Primitives.dll.6.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: ALVARA-072.msi	Binary or memory string: OriginalFilenameAlphaControlAgentInstallation.dll\ vs ALVARA-072.msi
Source: ALVARA-072.msi	Binary or memory string: OriginalFilenameSfxCA.dll\ vs ALVARA-072.msi
Source: ALVARA-072.msi	Binary or memory string: OriginalFilenamewixca.dll\ vs ALVARA-072.msi

Source: System.IO.Pipes.dll.6.dr, PipeStream.cs

Task registration methods: 'RegisterForCancellation'

Source: System.IO.Pipes.dll.6.dr, NamedPipeServerStream.cs	Security API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
Source: System.IO.Pipes.dll.6.dr, NamedPipeServerStream.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: System.IO.Pipes.dll.6.dr, PipeSecurity.cs	Security API names: System.IO.Pipes.PipeSecurity.GetAccessControlSectionsFromChanges()
Source: System.IO.Pipes.dll.6.dr, PipeSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.GetAccessRules(bool, bool, System.Type)
Source: System.IO.Pipes.dll.6.dr, PipeSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: System.IO.Pipes.dll.6.dr, NamedPipeClientStream.cs	Security API names: System.IO.Pipes.PipeStream.GetAccessControl()
Source: System.IO.Pipes.dll.6.dr, NamedPipeClientStream.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winMSI@176/1006@0/11

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\ATERA Networks

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1196:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6844:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3564:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5396:120:WilError_03
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Mutant created: NULL
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3256:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5844:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7048:120:WilError_03
Source: C:\Windows\System32\SIHClient.exe	Mutant created: {376155FF-95A0-46CA-8F57-ACB09EA70153}
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7052:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6352:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6200:120:WilError_03
Source: C:\Windows\Temp\SplashtopStreamer.exe	Mutant created: \BaseNamedObjects\Global\{47B9233E-7E50-46F2-B442-6A53F0D0F508}
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF6F58E4A8AF7C3683.TMP

Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AteraAgent.exe")
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

File read: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIEF9A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6811656 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId

Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe.22.dr	Binary or memory string: SELECT Identifier, Severity, Timestamp FROM ThresholdDuration WHERE Identifier = @id;kDELETE FROM ThresholdDuration WHERE Identifier = @id;
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);@X9
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);@X9
Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe.22.dr	Binary or memory string: INSERT INTO ThresholdDuration (Identifier,Severity,Timestamp) Values (@identifier, @severity, @timestamp) ON CONFLICT (Identifier) DO UPDATE SET Severity = excluded.Severity, Timestamp = excluded.Timestamp;
Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe.22.dr	Binary or memory string: INSERT INTO [AlertsSent] (Timestamp, Alerts) VALUES (@timestamp, @alerts);kExecuteScriptAsync SystemTools Start scriptGuid : {0}Wrunscriptguid {0} 10 W10= disableSendResult
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195805B3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;@X9
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);
Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe.22.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS StatisticsSendTime (Id INTEGER PRIMARY KEY,Timestamp BIGINT NOT NULL);
Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe.22.dr	Binary or memory string: INSERT INTO Statistics(Name, Timestamp, Value) Values (@name, @timestamp, @value);%StatisticsSendTime
Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 0000002A.00000002.1866616915.00007FFB02A1A000.00000002.00000001.01000000.0000001E.sdmp, SQLite.Interop.dll.22.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe.22.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);
Source: MSI58CE.tmp.6.dr	Binary or memory string: SELECT Feature_ FROM ISSetupTypeFeatures WHERE ISSetupType_ = '%s'SetupType.cppsysnativesyswow64SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs[Win32]SharedFiles.cpp;Page UpPage DownEndHomeLeftUpRightDownInsertNum *Num /Num +Num -
Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe.22.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS Stub (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL);
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1840909645.0000019598B65000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL);
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1866616915.00007FFB02A1A000.00000002.00000001.01000000.0000001E.sdmp, SQLite.Interop.dll.22.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);@X9
Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 0000002A.00000002.1866616915.00007FFB02A1A000.00000002.00000001.01000000.0000001E.sdmp, SQLite.Interop.dll.22.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 0000002A.00000002.1866616915.00007FFB02A1A000.00000002.00000001.01000000.0000001E.sdmp, SQLite.Interop.dll.22.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe.22.dr	Binary or memory string: SELECT Timestamp FROM StatisticsSendTime ORDER BY Timestamp DESC LIMIT 1;
Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe.22.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);sSELECT MAX([Timestamp]) AS [TimeStamp] FROM [AlertsSent];
Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 0000002A.00000002.1866616915.00007FFB02A1A000.00000002.00000001.01000000.0000001E.sdmp, SQLite.Interop.dll.22.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe.22.dr	Binary or memory string: SELECT [Id], [Alerts], [Timestamp] FROM [AlertsSent] ORDER BY [Timestamp] DESC LIMIT 1;
Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe.22.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);/DELETE FROM Statistics;eSELECT Id, Name, Timestamp, Value FROM Statistics;
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);
Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe.22.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);
Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 0000002A.00000002.1866616915.00007FFB02A1A000.00000002.00000001.01000000.0000001E.sdmp, SQLite.Interop.dll.22.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);@X9
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL);
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL);
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195805B3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;
Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 0000002A.00000002.1866616915.00007FFB02A1A000.00000002.00000001.01000000.0000001E.sdmp, SQLite.Interop.dll.22.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe.22.dr	Binary or memory string: select Name from Win32_PerfFormattedData_Tcpip_NetworkInterface!DataStatsEnabled9InboundBandwidthStatsEnabled;OutboundBandwidthStatsEnabled
Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe.22.dr	Binary or memory string: SELECT Id, IsActive, Timestamp, Name, Thresholds FROM ThresholdsProfiles ORDER BY Timestamp DESC LIMIT 1;

Source: ALVARA-072.msi

Static file information: TRID: Microsoft Windows Installer (60509/1) 57.88%

Source: ALVARA-072.msi

ReversingLabs: Detection: 23%

Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ALVARA-072.msi"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 513D6BCE314FC68D2D3F719BFBE54FA6
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIEF9A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6811656 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIF846.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6813796 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIC3D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6818906 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B63C9CB250CD768B2152D73DCFF27664 E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="contato@agiagro.com.br" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000MmQV4IAN" /AgentId="69d31729-b40a-4033-aac0-eb6fc5db2da4"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv w6xFVE/+pk2zJopmEyg10g.0.2
Source: unknown	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI30E1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6828281 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "d17e2baf-c6e6-4c76-82cc-8f8fe3405907" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "8fcb6d3c-d337-43d4-afb7-ac811e04c487" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "f0d01c4a-6356-4ebf-9772-e6821cee1b63" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: unknown	Process created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "6c2f305d-73a5-47a5-9074-00ebd014d59f" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIn0=" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "946a9a47-9b54-413f-b7db-d3937ecf2585" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k smphost
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Process created: C:\Windows\Temp\SplashtopStreamer.exe "C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1
Source: C:\Windows\Temp\SplashtopStreamer.exe	Process created: C:\Windows\Temp\unpack\PreVerCheck.exe "C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=1
Source: C:\Windows\Temp\unpack\PreVerCheck.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 051E653050A3B01096F077B541F1D052 E Global\MSI0000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "6b80f9c0-5b9a-4e7b-bfc9-0932c0402886" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 513D6BCE314FC68D2D3F719BFBE54FA6	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B63C9CB250CD768B2152D73DCFF27664 E Global\MSI0000	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="contato@agiagro.com.br" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000MmQV4IAN" /AgentId="69d31729-b40a-4033-aac0-eb6fc5db2da4"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 051E653050A3B01096F077B541F1D052 E Global\MSI0000	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIEF9A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6811656 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIF846.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6813796 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIC3D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6818906 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI30E1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6828281 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "d17e2baf-c6e6-4c76-82cc-8f8fe3405907" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "8fcb6d3c-d337-43d4-afb7-ac811e04c487" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "f0d01c4a-6356-4ebf-9772-e6821cee1b63" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "6c2f305d-73a5-47a5-9074-00ebd014d59f" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIn0=" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "946a9a47-9b54-413f-b7db-d3937ecf2585" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "6b80f9c0-5b9a-4e7b-bfc9-0932c0402886" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Process created: C:\Windows\Temp\SplashtopStreamer.exe "C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1
Source: C:\Windows\Temp\SplashtopStreamer.exe	Process created: C:\Windows\Temp\unpack\PreVerCheck.exe "C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=1
Source: C:\Windows\Temp\unpack\PreVerCheck.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: w32time.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: riched20.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: usp10.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msls31.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptnet.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: webio.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptnet.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: webio.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cabinet.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptnet.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wscapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: devobj.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: napinsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: pnrpnsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wshbth.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: nlaapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: cryptnet.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Section loaded: rtutils.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Source: C:\Windows\System32\msiexec.exe

File written: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdsmpl.ini

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Http.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Numerics.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Serialization.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.Primitives.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Configuration.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Intrinsics.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\msquic.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.Client.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Primitives.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-interlocked-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Sockets.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceModel.Web.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceProcess.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encodings.Web.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\WindowsBase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-debug-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.AccessControl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.DriveInfo.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-localization-l1-2-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Channels.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebProxy.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Expressions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.MemoryMappedFiles.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Primitives.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.AccessControl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-stdio-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.TypeConverter.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Numerics.Vectors.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.ILGeneration.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Primitives.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ObjectModel.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Xml.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\dbgshim.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l2-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.HttpListener.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Formats.Asn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Cng.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-timezone-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Json.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XDocument.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.Lightweight.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscorlib.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebClient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.Linq.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-string-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XPath.XDocument.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordbi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l1-2-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.InteropServices.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Immutable.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Extensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.NetworkInformation.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.UnmanagedMemoryStream.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.TraceSource.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-environment-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-2-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-heap-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.IsolatedStorage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-util-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-runtime-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Mail.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Ping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Claims.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Console.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\createdump.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.DataAnnotations.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.ZipFile.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Process.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.HttpUtility.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-memory-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.Win32.Primitives.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.DiagnosticSource.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebHeaderCollection.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Dynamic.Runtime.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Requests.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-conio-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Extensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.Extensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.VisualBasic.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\hostpolicy.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Formatters.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Transactions.Local.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\.version	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Drawing.Primitives.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clrjit.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.ReaderWriter.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Dataflow.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Annotations.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clretwrc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Parallel.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Memory.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-math-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.DiaSymReader.Native.amd64.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.NonGeneric.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.Extensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Tools.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.TypeExtensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-time-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Linq.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.DataContractSerialization.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Handles.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.Reader.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.Native.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ValueTuple.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.NETCore.App.runtimeconfig.json	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Metadata.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-datetime-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Data.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.CSharp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.ResourceManager.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XmlSerializer.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.NETCore.App.deps.json	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Primitives.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Csp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-private-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.OpenSsl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore_amd64_amd64_6.0.3524.45918.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Json.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.AccessControl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Quic.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.StackTrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.Windows.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\ucrtbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Encoding.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Queryable.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Windows.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Overlapped.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.CodePages.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscorrc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.DispatchProxy.dll	Jump to behavior

Source: ALVARA-072.msi

Static file information: File size 2994176 > 1048576

Source:	Binary string: C:\CodeBases\isdev\Redist\Language Independent\i386\ISSetup.pdb source: MSI58CE.tmp.6.dr
Source:	Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 0000002A.00000002.1846265525.00000195FFCE2000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 00000014.00000000.1383292218.0000021EC66A2000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 0000001A.00000002.1656716822.000001E308252000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: c:\winddk\7600.16385.1\src\setup\difxapi\difxcmd\objfre_win7_amd64\amd64\DIFxCmd.pdb source: DIFxCmd64.exe0.6.dr
Source:	Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 0000002A.00000002.1853799028.00000195FFDA2000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: d:\svn\sr01\tim\dev\win32\stvideo\mirror\objfre_win7_x86\i386\stmirror.pdbx source: stmirror.dll.6.dr
Source:	Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 0000002A.00000002.1854313005.00000195FFE12000.00000002.00000001.01000000.00000025.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.InteropServices\4.1.2.0\System.Runtime.InteropServices.pdb source: System.Runtime.InteropServices.dll.30.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.InteropServices\4.1.2.0\System.Runtime.InteropServices.pdbH5b5 T5_CorDllMainmscoree.dll source: System.Runtime.InteropServices.dll.30.dr
Source:	Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 0000002A.00000002.1843534702.00000195FF392000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.ReaderWriter\4.1.1.0\System.Xml.ReaderWriter.pdb source: System.Xml.ReaderWriter.dll.30.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net6.0\System.Diagnostics.DiagnosticSource.pdb source: System.Diagnostics.DiagnosticSource.dll4.30.dr
Source:	Binary string: c:\winddk\7600.16385.1\src\setup\difxapi\difxcmd\objfre_win7_amd64\amd64\DIFxCmd.pdbH source: DIFxCmd64.exe0.6.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 0000000A.00000003.1297756832.0000000004CDE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000444C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\21\obj\Microsoft.ApplicationInsights\Release\src\Microsoft.ApplicationInsights\net45\Microsoft.ApplicationInsights.pdb source: Microsoft.ApplicationInsights.dll3.30.dr
Source:	Binary string: D:\A\_work\39\s\bin\obj\Windows_NT.AnyCPU.Release\System.Runtime.InteropServices.RuntimeInformation\net45\System.Runtime.InteropServices.RuntimeInformation.pdb source: System.Runtime.InteropServices.RuntimeInformation.dll.22.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Extensions\net6.0-Release\System.Reflection.Extensions.pdb source: System.Reflection.Extensions.dll.6.dr
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 00000014.00000000.1383292218.0000021EC66A2000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Handles\net6.0-Release\System.Runtime.Handles.pdb source: System.Runtime.Handles.dll.6.dr
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: api-ms-win-core-console-l1-1-0.dll.6.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Requests\4.0.11.0\System.Net.Requests.pdbX)r) d)_CorDllMainmscoree.dll source: System.Net.Requests.dll.30.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: api-ms-win-core-util-l1-1-0.dll.6.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 00000016.00000002.2018950710.000001BCA8AB2000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 00000016.00000002.2018950710.000001BCA8AB2000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1855704329.00000195FFEF2000.00000002.00000001.01000000.00000026.sdmp, Newtonsoft.Json.dll.11.dr
Source:	Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 0000002A.00000002.1849997542.00000195FFD62000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: System.Private.Xml.ni.pdb source: System.Private.Xml.dll.6.dr
Source:	Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 0000002A.00000002.1854313005.00000195FFE12000.00000002.00000001.01000000.00000025.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 0000001A.00000000.1623145179.000001E307E92000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 0000002A.00000002.1846265525.00000195FFCE2000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: d:\slave\workspace\GIT_WIN_SRS_Formal\Source\irisserver\Release\SRUnPackFile.pdb source: SplashtopStreamer.exe, 0000002F.00000000.1908546863.000000000042E000.00000002.00000001.01000000.00000027.sdmp, SplashtopStreamer.exe, 0000002F.00000002.2290517618.000000000042E000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000A.00000003.1297756832.0000000004CDE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000444C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.EnvironmentVariables/Release/net6.0/Microsoft.Extensions.Configuration.EnvironmentVariables.pdbSHA256 source: Microsoft.Extensions.Configuration.EnvironmentVariables.dll.30.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XDocument\net6.0-Release\System.Xml.XDocument.pdbt+ source: System.Xml.XDocument.dll.6.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1658228362.000001E320FA2000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2372308158.0000026AE0B70000.00000002.00000001.01000000.0000002C.sdmp
Source:	Binary string: d:\slave\workspace\GIT_WIN_SRS_Formal\Source\irisserver\Release\PreVerCheck.pdb source: PreVerCheck.exe, 00000030.00000000.1951833191.0000000000B83000.00000002.00000001.01000000.00000028.sdmp, PreVerCheck.exe, 00000030.00000002.2274094246.0000000000B83000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XmlDocument\4.0.3.0\System.Xml.XmlDocument.pdb source: System.Xml.XmlDocument.dll.30.dr
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.EnvironmentVariables/Release/net6.0/Microsoft.Extensions.Configuration.EnvironmentVariables.pdb source: Microsoft.Extensions.Configuration.EnvironmentVariables.dll.30.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1658228362.000001E320FA2000.00000002.00000001.01000000.0000001B.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2372308158.0000026AE0B70000.00000002.00000001.01000000.0000002C.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1855704329.00000195FFEF2000.00000002.00000001.01000000.00000026.sdmp, Newtonsoft.Json.dll.11.dr
Source:	Binary string: d:\svn\sr01\tim\dev\win32\stvideo\mirror\objfre_win7_x86\i386\stmirror.pdb source: stmirror.dll.6.dr
Source:	Binary string: t.pdbpdb source: AteraAgent.exe, 00000016.00000002.2010230473.000001BCA833C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe.22.dr
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: ALVARA-072.msi
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Globalization.Extensions\net6.0-Release\System.Globalization.Extensions.pdb source: System.Globalization.Extensions.dll.6.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 0000000A.00000003.1297756832.0000000004CDE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000444C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 0000002A.00000002.1843534702.00000195FF392000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Security.Cryptography.Algorithms/netfx\System.Security.Cryptography.Algorithms.pdb source: System.Security.Cryptography.Algorithms.dll.30.dr
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 0000001A.00000002.1656716822.000001E308252000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: W.pdb$Gs0 source: PreVerCheck.exe, 00000030.00000002.2274351905.0000000000B95000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XDocument\net6.0-Release\System.Xml.XDocument.pdb source: System.Xml.XDocument.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbcccGCTL source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: api-ms-win-core-console-l1-1-0.dll.6.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Requests\4.0.11.0\System.Net.Requests.pdb source: System.Net.Requests.dll.30.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Principal\4.0.1.0\System.Security.Principal.pdb source: System.Security.Principal.dll.30.dr
Source:	Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 0000002A.00000002.1866616915.00007FFB02A1A000.00000002.00000001.01000000.0000001E.sdmp, SQLite.Interop.dll.22.dr
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 00000014.00000002.1439315934.0000021EE0D02000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net6.0\System.Diagnostics.DiagnosticSource.pdbSHA256 source: System.Diagnostics.DiagnosticSource.dll4.30.dr
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 00000014.00000002.1439315934.0000021EE0D02000.00000002.00000001.01000000.00000012.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECE90000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 0000002A.00000002.1853799028.00000195FFDA2000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: ALVARA-072.msi
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Xml\net6.0-windows-Release\System.Private.Xml.pdb source: System.Private.Xml.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Extensions\net6.0-Release\System.Reflection.Extensions.pdbD)^) P)_CorDllMainmscoree.dll source: System.Reflection.Extensions.dll.6.dr

Binary contains a suspicious time stamp

Source: System.Reflection.DispatchProxy.dll.6.dr

Static PE information: 0xD237EF3C [Sun Oct 5 09:11:24 2081 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Code function: 42_2_00007FFB028D1910 EncodePointer,__crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

42_2_00007FFB028D1910

PE file contains sections with non-standard names

Source: msquic.dll.6.dr	Static PE information: section name: _RDATA
Source: SRWacomCtrl64.dll.6.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_3_06EF84A1 push es; ret	11_3_06EF84B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_3_06EF995D push 0000005Dh; ret	11_3_06EF996E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 22_2_00007FFAAB5A0AFB pushad ; ret	22_2_00007FFAAB5A0B01
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 22_2_00007FFAAB59CA38 push FFFFFFE8h; ret	22_2_00007FFAAB59CCF9
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 22_2_00007FFAAB796184 push eax; ret	22_2_00007FFAAB7961B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_3_046189BF push dword ptr [esp+ecx*2-75h]; ret	25_3_046189C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_3_046F1350 push 08428B04h; ret	25_3_046F1663
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_3_046F1651 push 08428B04h; ret	25_3_046F1663
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 26_2_00007FFAAB5700BD pushad ; iretd	26_2_00007FFAAB5700C1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 28_2_00007FFAAB5800BD pushad ; iretd	28_2_00007FFAAB5800C1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB59CC98 push FFFFFFE8h; retf	30_2_00007FFAAB59CEF1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB59CC8D push FFFFFFE8h; retf	30_2_00007FFAAB59CEF1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB59CC90 push FFFFFFE8h; retf	30_2_00007FFAAB59CEF1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB59CC5D push FFFFFFE8h; retf	30_2_00007FFAAB59CEF1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB59CC60 push FFFFFFE8h; retf	30_2_00007FFAAB59CEF1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB5A2DFA push FFFFFFE8h; retf	30_2_00007FFAAB5A2EF1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB5A25F2 push eax; iretd	30_2_00007FFAAB5A2631
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB59A64C push eax; retf	30_2_00007FFAAB59A661
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB59A650 push eax; retf	30_2_00007FFAAB59A661
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7A8C5C push esp; ret	30_2_00007FFAAB7A8C73
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7A8BF8 push eax; ret	30_2_00007FFAAB7A8C13
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7A4814 pushad ; ret	30_2_00007FFAAB7A4823
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7A0F64 push eax; ret	30_2_00007FFAAB7A0F94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7A0F9C push eax; ret	30_2_00007FFAAB7A0F94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB57D2C5 pushad ; iretd	33_2_00007FFAAB58AA45
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB57792B push ebx; retf	33_2_00007FFAAB57796A
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB57FEFA push FFFFFFE8h; retf	33_2_00007FFAAB57FFF1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB57FFB8 push FFFFFFE8h; retf	33_2_00007FFAAB57FFF1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB562D95 push eax; ret	33_2_00007FFAAB562E1D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB5600BD pushad ; iretd	33_2_00007FFAAB5600C1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB578163 push ebx; ret	33_2_00007FFAAB57816A

Source: System.Runtime.Numerics.dll.6.dr

Static PE information: section name: .text entropy: 6.855780398702841

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA74182F76F15A9CF514DEF352303C95
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1A374813EDB1A6631387E414D3E73232
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1A374813EDB1A6631387E414D3E73232
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log

Sample is not signed and drops a device driver

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\64bits\stgamepad.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxywddm.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxywddm.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxywddm.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxywddm.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\64bits\stdpms.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\32bits\stvad.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\64bits\stvad.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\32bits\stvad.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\64bits\stvad.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\32bits\stvspk.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\64bits\stvspk.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\hidkmdf.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\hidkmdf.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\sthid.sys	Jump to behavior

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon64.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.HttpListener.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PkgHelper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIEF9A.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppAnnotation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.NetworkInformation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Encoding.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Primitives.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC3D.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI30E1.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdbook.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Queryable.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.OpenSsl.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.CSharp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\WBAppVidRec.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.CodePages.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x86.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdsmplui.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.Client.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\dbghelp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\my_setup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB549.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI27C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC3D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdnup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperEx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Dataflow.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiHelper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\avutil-55.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppBrowser.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.TraceSource.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\stprintmon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdscale.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Csp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdscale.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\legacy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdbook.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.ILGeneration.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Formatters.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Numerics.Vectors.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\64bits\stgamepad.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Ping.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\my_setup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomCtrl32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDetect.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdate.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\stprintmon.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC3D.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiCaptor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.NonGeneric.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\64bits\stvad.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.DataAnnotations.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcelt-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XDocument.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsbVhciCtrl64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUACCheck.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebClient.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdsmplui.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdsmplui.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\hostpolicy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\XDColMan.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Immutable.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSocketCtrl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEF9A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.StackTrace.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI58CE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\XDColMan.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcrypto-3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\Mirror2Extend.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.TypeExtensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encodings.Web.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Primitives.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\WindowsBase.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC4.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1CEA.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libx264-116.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Handles.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XmlSerializer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Process.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdwmark.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\createdump.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.DriveInfo.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Linq.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.MemoryMappedFiles.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Numerics.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Parallel.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Tools.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6A63.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Console.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Metadata.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.VisualBasic.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIEF9A.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdwmark.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppBS.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI30E1.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF846.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libmp4v2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppED.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI30E1.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebHeaderCollection.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.Win32.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.AccessControl.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC3D.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperExx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxywddm.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\64bits\stvad.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRChat.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.DiaSymReader.Native.amd64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Claims.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\PrnPort.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_iddcx.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdbook.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.ZipFile.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Requests.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.IsolatedStorage.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Channels.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\CredentialManagement.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Transactions.Local.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1567.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Memory.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Formats.Asn1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\qrcodelib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdscale.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsb.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libssl-3.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x64\SRCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Quic.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\XDColMan.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Annotations.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Drawing.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SROpus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clrjit.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\64bits\stdpms.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264Wrapper.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIF846.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Intrinsics.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Serialization.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI30E1.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\32bits\stvad.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore_amd64_amd64_6.0.3524.45918.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIF846.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\swresample-2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.DispatchProxy.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Dynamic.Runtime.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRApp.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\hidkmdf.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd32.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.Native.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrlEx.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\setupdrv.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clretwrc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\32bits\stvspk.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.Linq.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ObjectModel.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceModel.Web.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd32.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\hidkmdf.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIF846.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK_x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\64bits\stvspk.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\32bits\stvad.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Xml.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdnup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsbVhciCtrl32.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\stprintmon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.AccessControl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC3D.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdsmplui.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdbook.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_iddcx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\XDColMan.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIEF9A.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxyumd32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd32.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppCam.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordbi.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxywddm.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppFileHound.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_iddcx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.UnmanagedMemoryStream.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\stprintmon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebProxy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.DataContractSerialization.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Http.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\StructureMap.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI142.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceProcess.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.Reader.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdscale.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAdemWrapper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAudioChat.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\my_setup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Elevator.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\ucrtbase.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\dbgshim.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI146C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\NvFBC.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\setupdrv.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdnup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PinShortCut.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x64\SRWacomUtil64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcurl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\sthid.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.InteropServices.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxywddm.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscorlib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.ResourceManager.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7215.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdateInstall.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\my_setup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\setupdrv.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Overlapped.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6E8A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeatMini.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.TypeConverter.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.HttpUtility.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomUtil32.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdwmark.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI30E1.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsb.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1662.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Primitives.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Data.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\fips.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\setupdrv.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Configuration.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIEF9A.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Expressions.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.AccessControl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.ReaderWriter.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XPath.XDocument.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\choco.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxywddm.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sys	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIF846.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Mail.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAudioResample.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\msquic.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Memory.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x86\SRCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Cng.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscorrc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.Lightweight.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxyumd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\amf-vcedem-win32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Sockets.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x64\SRWacomCtrl64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdnup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdwmark.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_iddcx.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\Temp\unpack\PreVerCheck.exe	File created: C:\Windows\Temp\unpack\SRSocketCtrl.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\{015720C1-18B4-41EA-ABB7-A5C96198F9BE}\_is37B.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEF9A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI58CE.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIEF9A.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIEF9A.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIF846.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI30E1.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF846.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIEF9A.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\{20D00C64-332B-4AD0-9BF7-0776E26C7FE1}\_isres_0x0409.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI30E1.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\{0A2173DD-F1DD-4208-9339-AE15EC138492}\ISRT.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC3D.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\{C9A47452-5203-43AE-93A3-1550E296BE1D}\_isres_0x0409.dll	Jump to dropped file
Source: C:\Windows\Temp\SplashtopStreamer.exe	File created: C:\Windows\Temp\unpack\PreVerCheck.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIF846.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC4.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\{015720C1-18B4-41EA-ABB7-A5C96198F9BE}\_isres_0x0409.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI146C.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI30E1.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\{0A2173DD-F1DD-4208-9339-AE15EC138492}\_is54A8.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIEF9A.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC3D.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1CEA.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC3D.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI30E1.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\System32\SRC46CC.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC3D.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIF846.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\{C9A47452-5203-43AE-93A3-1550E296BE1D}\ISRT.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7215.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\{20D00C64-332B-4AD0-9BF7-0776E26C7FE1}\ISRT.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6E8A.tmp	Jump to dropped file
Source: C:\Windows\Temp\unpack\PreVerCheck.exe	File created: C:\Windows\Temp\unpack\libcrypto-3.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\{C9A47452-5203-43AE-93A3-1550E296BE1D}\_is85A.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\{0A2173DD-F1DD-4208-9339-AE15EC138492}\_isres_0x0409.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	File created: C:\Windows\Temp\SplashtopStreamer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB549.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1567.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI27C.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\{599318EE-7E7F-4BB7-B941-C069894B4FBB}\_isres_0x0409.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC3D.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\{015720C1-18B4-41EA-ABB7-A5C96198F9BE}\ISRT.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI30E1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI142.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIF846.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6A63.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1662.tmp	Jump to dropped file
Source: C:\Windows\Temp\unpack\PreVerCheck.exe	File created: C:\Windows\Temp\unpack\libssl-3.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\{20D00C64-332B-4AD0-9BF7-0776E26C7FE1}\_is4302.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\system32\SRCredentialProvider.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\{599318EE-7E7F-4BB7-B941-C069894B4FBB}\_is58FE.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\{599318EE-7E7F-4BB7-B941-C069894B4FBB}\ISRT.dll	Jump to dropped file

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\InstallUtil.InstallLog
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\license.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\license.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\license.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\license.txt	Jump to behavior

Boot Survival

Installs Task Scheduler Managed Wrapper

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dll

Creates or modifies windows services

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Modifies existing windows services

Source: C:\Windows\System32\svchost.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Config

Stores files to the Windows start menu directory

Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Splashtop Remote\
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Splashtop Remote\Splashtop Streamer.lnk

Uses net.exe to stop services

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Code function: 42_2_00007FFB028CA524 EncodePointer,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

42_2_00007FFB028CA524

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes

Stores large binary data to the registry

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Key value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0"} where resultclass = Win32_DiskPartition
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent="Win32_DiskDrive.DeviceID=\"\\\\\\\\.\\\\PHYSICALDRIVE0\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0"} where resultclass = Win32_DiskPartition
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent="Win32_DiskDrive.DeviceID=\"\\\\\\\\.\\\\PHYSICALDRIVE0\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0"} where resultclass = Win32_DiskPartition
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent="Win32_DiskDrive.DeviceID=\"\\\\\\\\.\\\\PHYSICALDRIVE0\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0"} where resultclass = Win32_DiskPartition
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent="Win32_DiskDrive.DeviceID=\"\\\\\\\\.\\\\PHYSICALDRIVE0\""

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PhysicalAdapter,Name,PNPDeviceID from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PhysicalAdapter,Name,PNPDeviceID from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter

Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #0"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #0\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #2"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #2\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #0"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #0\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #2"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #2\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #0"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #0\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #2"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #2\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #0"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #0\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #2"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #2\""

Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_SoundDevice
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_SoundDevice

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\svchost.exe

System information queried: FirmwareTableInformation

Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 21EC69F0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 21EE0390000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 1BC8F900000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 1BCA79F0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 1E3081F0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 1E320720000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 25D44380000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 25D5C5B0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 262EBE00000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 262EC370000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 1E309310000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 1E321B60000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Memory allocated: 26AC7E60000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Memory allocated: 26AE02D0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Memory allocated: 195FEE80000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Memory allocated: 195FF480000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 1D6FB5A0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 1D6FBAD0000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599875
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599765
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599629
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599500
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599390
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599281
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599171
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599062
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598953
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598843
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598734
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598625
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598515
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598406
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598296
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598180
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598057
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597951
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597785
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597568
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597203
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597035
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596906
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596793
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596687
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596575
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596468
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596358
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596250
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596140
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596031
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595921
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595810
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595703
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595593
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595484
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595375
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595265
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595156
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595045
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 594937
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599859
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599750
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599640
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599531
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599421
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599312
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599196
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599093
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598984
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598873
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598765
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598656
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598545
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598437
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598316
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598187
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598062
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597953
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597837
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597733
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597621
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597503
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597375
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597265
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597154
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597047
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596937
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596827
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596718
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596609
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596500
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596378
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596250
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596125
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596004
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595875
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595695
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595578
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595429
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595218
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594703
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594546
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594437
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594328
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594217
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594106
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593999
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593871
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593763
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593656
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593546
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593437
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593328
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Window / User API: threadDelayed 3787
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Window / User API: threadDelayed 5911
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Window / User API: threadDelayed 6931
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Window / User API: threadDelayed 2607
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Window / User API: threadDelayed 7391
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Window / User API: threadDelayed 2412
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Window / User API: threadDelayed 6264
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Window / User API: threadDelayed 3543
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Window / User API: threadDelayed 2959
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Window / User API: threadDelayed 1921
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Window / User API: threadDelayed 1570

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon64.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.HttpListener.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PkgHelper.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIEF9A.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppAnnotation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.NetworkInformation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Temp\{C9A47452-5203-43AE-93A3-1550E296BE1D}\_isres_0x0409.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Encoding.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Primitives.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Temp\{0A2173DD-F1DD-4208-9339-AE15EC138492}\_is54A8.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI30E1.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC3D.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdbook.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Queryable.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.OpenSsl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.Extensions.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.CSharp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\WBAppVidRec.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.CodePages.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x86.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdsmplui.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.Client.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Temp\{0A2173DD-F1DD-4208-9339-AE15EC138492}\_isres_0x0409.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\my_setup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIB549.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI27C.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC3D.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperEx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdnup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Dataflow.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiHelper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\avutil-55.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppBrowser.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.TraceSource.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\stprintmon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Csp.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdscale.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdscale.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\legacy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Core.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdbook.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.ConfigurationExtensions.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.ILGeneration.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.ServiceProcess.ServiceController.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Formatters.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Numerics.Vectors.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\64bits\stgamepad.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Ping.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\my_setup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomCtrl32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDetect.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdate.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\stprintmon.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC3D.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileSystemGlobbing.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiCaptor.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon64.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.sys	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Temp\{C9A47452-5203-43AE-93A3-1550E296BE1D}\_is85A.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.NonGeneric.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\64bits\stvad.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.DataAnnotations.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcelt-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsbVhciCtrl64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XDocument.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUACCheck.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebClient.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdsmplui.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdsmplui.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\hostpolicy.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.Utils.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\XDColMan.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Immutable.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSocketCtrl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIEF9A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.StackTrace.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI58CE.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\XDColMan.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcrypto-3.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Abstractions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\Mirror2Extend.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.TypeExtensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encodings.Web.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\it\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Primitives.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.Exceptions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\WindowsBase.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC4.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\pl\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1CEA.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libx264-116.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Handles.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XmlSerializer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Process.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\browser\lib\net6.0\System.Text.Encodings.Web.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdwmark.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\createdump.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.DriveInfo.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Linq.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.MemoryMappedFiles.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Numerics.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Parallel.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Tools.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6A63.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Windows\system32\SRCredentialProvider.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Console.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventSource.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Metadata.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.VisualBasic.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIEF9A.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdwmark.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppBS.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI30E1.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF846.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libmp4v2.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppED.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI30E1.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebHeaderCollection.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.Win32.Primitives.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.Abstractions.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC3D.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.AccessControl.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperExx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxywddm.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\64bits\stvad.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.ModelsV3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRChat.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.DiaSymReader.Native.amd64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Claims.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\PrnPort.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_iddcx.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Hosting.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdbook.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon64.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Microsoft.ApplicationInsights.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.ZipFile.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Requests.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Channels.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.IsolatedStorage.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Console.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\CredentialManagement.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Transactions.Local.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1567.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Memory.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Formats.Asn1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\qrcodelib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdscale.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsb.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libssl-3.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dll	Jump to dropped file
Source: C:\Windows\Temp\unpack\PreVerCheck.exe	Dropped PE file which has not been started: C:\Windows\Temp\unpack\libssl-3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x64\SRCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrl.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Debug.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Quic.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\XDColMan.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dll	Jump to dropped file
Source: C:\Windows\Temp\unpack\PreVerCheck.exe	Dropped PE file which has not been started: C:\Windows\Temp\unpack\SRSocketCtrl.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Annotations.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Temp\{015720C1-18B4-41EA-ABB7-A5C96198F9BE}\_is37B.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Drawing.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SROpus.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Encodings.Web.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clrjit.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\64bits\stdpms.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264Wrapper.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF846.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Intrinsics.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Serialization.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI30E1.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\32bits\stvad.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore_amd64_amd64_6.0.3524.45918.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF846.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\de\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\swresample-2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.DispatchProxy.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Dynamic.Runtime.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRApp.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.ServiceProcess.ServiceController.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\hidkmdf.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd32.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.Native.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrlEx.dll	Jump to dropped file
Source: C:\Windows\Temp\unpack\PreVerCheck.exe	Dropped PE file which has not been started: C:\Windows\Temp\unpack\libcrypto-3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\setupdrv.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clretwrc.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\32bits\stvspk.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.Linq.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ObjectModel.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceModel.Web.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\ru\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd32.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\hidkmdf.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF846.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK_x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\64bits\stvspk.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\32bits\stvad.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Xml.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdnup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsbVhciCtrl32.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\stprintmon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.AccessControl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC3D.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdsmplui.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdbook.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_iddcx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\XDColMan.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIEF9A.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd32.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxyumd32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Windows\System32\SRC46CC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppCam.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordbi.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxywddm.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dll	Jump to dropped file

Is looking for software installed on the system

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

Registry key enumerated: More than 126 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\rundll32.exe TID: 3172	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6944	Thread sleep time: -60000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6748	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\SIHClient.exe TID: 1056	Thread sleep time: -180000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1180	Thread sleep count: 3787 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1180	Thread sleep count: 5911 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6548	Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6548	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2860	Thread sleep time: -120000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2908	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3028	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3968	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1504	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5688	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5872	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1168	Thread sleep count: 6931 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1168	Thread sleep count: 2607 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2892	Thread sleep count: 37 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2892	Thread sleep time: -34126476536362649s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5632	Thread sleep time: -220000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5264	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 4900	Thread sleep time: -90000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2460	Thread sleep count: 7391 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2460	Thread sleep count: 2412 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -600000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -599875s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -599765s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -599629s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -599500s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -599390s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -599281s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -599171s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -599062s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -598953s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -598843s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -598734s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -598625s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -598515s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -598406s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -598296s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -598180s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -598057s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -597951s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -597785s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -597568s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -597203s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -597035s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -596906s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -596793s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -596687s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -596575s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -596468s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -596358s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -596250s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -596140s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -596031s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -595921s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -595810s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -595703s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -595593s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -595484s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -595375s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -595265s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -595156s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -595045s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -594937s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4888	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7016	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep count: 42 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -38738162554790034s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -600000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 3220	Thread sleep count: 6264 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -599859s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -599750s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 3220	Thread sleep count: 3543 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -599640s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -599531s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -599421s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -599312s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -599196s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -599093s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -598984s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -598873s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -598765s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -598656s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -598545s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -598437s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -598316s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -598187s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -598062s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -597953s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -597837s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -597733s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -597621s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -597503s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -597375s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -597265s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -597154s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -597047s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -596937s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -596827s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -596718s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -596609s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -596500s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -596378s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -596250s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -596125s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -596004s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -595875s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -595695s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -595578s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -595429s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -595218s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -594703s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -594546s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -594437s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -594328s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -594217s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -594106s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -593999s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -593871s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -593763s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -593656s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -593546s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -593437s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -593328s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 1624	Thread sleep count: 2959 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 1624	Thread sleep count: 1921 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 2468	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 2468	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 5144	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 3672	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Temp\SplashtopStreamer.exe TID: 5116	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5688	Thread sleep time: -60000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3908	Thread sleep count: 1570 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4664	Thread sleep count: 294 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6004	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3032	Thread sleep time: -922337203685477s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Manufacturer,SoftwareElementID,ReleaseDate from Win32_BIOS
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Manufacturer,SoftwareElementID,ReleaseDate from Win32_BIOS
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Temp\SplashtopStreamer.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Temp\SplashtopStreamer.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Temp\SplashtopStreamer.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Temp\SplashtopStreamer.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 30000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 90000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 90000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599875
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599765
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599629
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599500
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599390
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599281
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599171
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599062
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598953
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598843
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598734
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598625
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598515
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598406
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598296
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598180
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598057
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597951
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597785
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597568
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597203
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597035
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596906
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596793
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596687
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596575
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596468
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596358
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596250
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596140
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596031
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595921
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595810
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595703
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595593
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595484
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595375
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595265
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595156
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595045
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 594937
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599859
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599750
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599640
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599531
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599421
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599312
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599196
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599093
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598984
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598873
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598765
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598656
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598545
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598437
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598316
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598187
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598062
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597953
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597837
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597733
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597621
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597503
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597375
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597265
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597154
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597047
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596937
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596827
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596718
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596609
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596500
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596378
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596250
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596125
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596004
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595875
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595695
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595578
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595429
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595218
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594703
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594546
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594437
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594328
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594217
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594106
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593999
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593871
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593763
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593656
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593546
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593437
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593328
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Thread delayed: delay time: 30000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\lib\
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\node_modules\
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\node_modules\async\lib\
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\node_modules\async\
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\

Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FA47000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service0
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2122716528.000001D6FC601000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware
Source: svchost.exe, 0000002C.00000003.2062091183.000002146001B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk2.06000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 006000C298128B8C02A71A2474AEB5F3DC
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1888418091.000001E3091A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.HV Host ServiceHvHostStopped7
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1888418091.000001E3091A5000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2118125342.000001D6FC400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2120941007.000001D6FC4B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicvss-#
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2120810707.000001D6FC4AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network.Hyper-V PowerShell Direct ServicevmicvmsessionStopped!7
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1903453070.000001E3222D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceSynchronizes the system time of this virtual machine with the system time of the physical computer.Hyper-V Time Synchronization ServicevmictimesyncStopped
Source: svchost.exe, 0000002C.00000002.2519348537.000002145FC9F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n Files(@SetPropValue.FriendlyName("VMware Virtual disk");
Source: SIHClient.exe, 00000015.00000003.1899940408.000002B9A6157000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1465864586.000002B9A615A000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000002.1903388695.000002B9A6157000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp$
Source: ISRT.dll.50.dr	Binary or memory string: _IsVirtualMachine
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0BE6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0C3F000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1463649405.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1467240104.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1465146592.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1899940408.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1462592594.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1468343840.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1466540378.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1468008740.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D680083000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: !Win32_Service.Name="vmicshutdown"p^G
Source: svchost.exe, 0000002C.00000002.2519348537.000002145FC9F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s\Syste @SetPropValue.FriendlyName("VMware Virtual disk");
Source: ISRT.dll.50.dr	Binary or memory string: AddIconCallDLLFnComponentViewCreateWindowComponentViewDestroyComponentViewRefreshComponentViewSelectAllComponentViewSetInfoComponentViewSetInfoExCreateFolderDeleteFolderDeleteIconEnableHourGlassEnumFoldersItemsGetCPUTypeGetFontSubGetHandleGetPortsGetSelectedItemStateIsEmptyIsNTAdminIsOSTypeNTIsObjectIsPowerUserLangLoadStringMessageBeepPPathCompactPathPixelPathCrackUrlPathGetDirPathGetDrivePathGetFilePathGetFileExtPathGetFileNamePathGetLongFromShortPathGetPathPathIsValidSyntaxQueryIconReadArrayPropertyReadBoolPropertyReadNumberPropertyReplaceIconShowFolderTextSubSubstituteVerGetFileVersionWriteArrayPropertyWriteBoolPropertyWriteNumberPropertyWriteStringProperty_AppSearch_BrowseForFolder_CCPSearch_CHARArrayToWCHARArray_CalculateAndAddFileCost_CleanupInet_CloseFile_CmdGetHwndDlg_CmdGetMsg_CmdGetParam1_CmdGetParam2_CoGetObject_CompareDWORD_ComponentAddItem_ComponentCompareSizeRequired_ComponentError_ComponentErrorInfo_ComponentFileEnum_ComponentFileInfo_ComponentFilterLanguage_ComponentFilterOS_ComponentGetCost_ComponentGetCostEx_ComponentGetData_ComponentGetItemSize_ComponentGetTotalCost_ComponentGetTotalCostEx_ComponentInitialize_ComponentIsItemSelected_ComponentListItems_ComponentLoadTarget_ComponentMoveData_ComponentPatch_ComponentReinstall_ComponentRemoveAll_ComponentRemoveAllInLogOnly_ComponentSaveTarget_ComponentSelectItem_ComponentSelectNew_ComponentSetData_ComponentSetupTypeEnum_ComponentSetupTypeGetData_ComponentSetupTypeSet_ComponentTotalSize_ComponentTransferData_ComponentUpdate_ComponentValidate_ComponentViewCreate_ComponentViewQueryInfo_CopyBytes_CreateDir_CreateObject_CreateRegistrySet_CreateShellObjects_CtrlGetNotificationCode_CtrlGetParentWindowHelper_CtrlGetSubCommand_CtrlGetUrlForLinkClicked_CtrlSetHtmlContent_CtrlSetMLERichText_CtrlSetMLERichTextEx_DIFxDriverPackageGetPath_DIFxDriverPackageInstall_DIFxDriverPackagePreinstall_DIFxDriverPackageUninstall_DefineDialog_DeleteCHARArray_DialogSetFont_DisableBranding_DisableStatus_Divide_DoInstall_DoSprintf_DotNetCoCreateObject_DotNetUnloadAppDomain_EnableDialogCache_EnablePrevDialog_EnableSkins_EnableStatus_EnableWow64FsRedirection_EndDialog_ExistsDir_ExistsDisk_ExistsFile_ExitInstall_FeatureAddCost_FeatureAddUninstallCost_FeatureGetCost_FeatureInitialize_FeatureSpendCost_FeatureSpendUninstallCost_FileCopy_FloatingPointOperation_GenerateFileMD5SignatureHex_GetByte_GetCurrentDialogName_GetDiskInfo_GetDiskSpaceEx_GetDiskSpaceExEx_GetFont_GetGlobalFlags_GetGlobalMemorySize_GetInetFileSize_GetInetFileTime_GetLine_GetLineSize_GetObject_GetObjectByIndex_GetObjectCount_GetProcessorInfo_GetRunningChildProcess_GetRunningChildProcessEx_GetRunningChildProcessEx2_GetSelectedTreeComponent_GetStandardLangId_GetSupportDir_GetSystemDpi_GetTrueTypeFontFileInfo_GetVirtualMachineType_InetEndofTransfer_InetGetLastError_InetGetNextDisk_InitInstall_IsFontTypefaceNameAvailable_IsInAdminGroup_IsLangSupported_IsSkinLoaded_IsVirtualMachine_IsWindowsME_IsWow64_KillProcesses_ListAddItem_ListAddString_ListCount_List
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: SIHClient.exe, 00000015.00000003.1463649405.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1467240104.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1465146592.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1899940408.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1462592594.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1468343840.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1466540378.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1468008740.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000002.1903388695.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1456240663.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: svchost.exe, 00000004.00000002.2520072076.0000023AC1D02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2122716528.000001D6FC601000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1888418091.000001E3091A5000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2115076507.000001D6FB304000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1888418091.000001E3091A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.Hyper-V Data Exchange ServicevmickvpexchangeStoppedE
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D680083000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \|Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1903453070.000001E3222D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.Hyper-V Guest Service InterfacevmicguestinterfaceStoppedH
Source: AgentPackageAgentInformation.exe, 0000001A.00000000.1623145179.000001E307E92000.00000002.00000001.01000000.00000018.sdmp	Binary or memory string: VIRUSfighterAVMware Carbon Black Cloud Sensor7VMware Carbon Black Defense/VMware Carbon Black EDR9VMware Carbon Black Response
Source: AgentPackageAgentInformation.exe, 0000001A.00000002.1658449420.000001E3210A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FA47000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: !Hyper-V PowerShell Direct Service0
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D680083000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1901770604.000001E322252000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServicevmicheartbeatvmicheartbeatStopped
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1843120416.00000195FEEB2000.00000002.00000001.01000000.0000001F.sdmp	Binary or memory string: vmware
Source: svchost.exe, 0000002C.00000002.2517947360.000002145FC3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JSetPropValue.Manufacturer("VMware");
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1901770604.000001E322252000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServicevmicshutdownvmicshutdownStopped:tE
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: IsVirtualMachine
Source: svchost.exe, 0000002C.00000002.2519348537.000002145FC9F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: x86)\Au*@SetPropValue.FriendlyName("VMware Virtual disk");
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D680083000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "Win32_Service.Name="vmicheartbeat"p^G
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D680083000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Time Synchronization Service
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2118734312.000001D6FC437000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2120810707.000001D6FC4AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat\|(;
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FA47000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface0
Source: svchost.exe, 0000002C.00000002.2521230614.0000021460123000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SPACES_PhysicalDisk{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{3c527940-1853-195e-fb1a-27cdb1f80e4a}6000C298128B8C02A71A2474AEB5F3DCVMware Virtual diskVMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D680083000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Win32_Service.Name="vmicvss"p^G
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FA47000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Volume Shadow Copy Requestor0
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1888418091.000001E3091A5000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D680083000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2118125342.000001D6FC400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1903453070.000001E3222D0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2120810707.000001D6FC4AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Provides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1903453070.000001E3222D0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2120810707.000001D6FC4AB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D680083000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D680083000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: -Hyper-V Remote Desktop Virtualization Service
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D680083000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2121618369.000001D6FC5A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll..
Source: svchost.exe, 0000002C.00000002.2517947360.000002145FC3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dSetPropValue.FriendlyName("VMware Virtual disk");
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FA47000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: -Hyper-V Remote Desktop Virtualization Service0
Source: svchost.exe, 00000004.00000002.2519113210.0000023AC1C4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D680083000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2118734312.000001D6FC437000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServicevmicvssvmicvssStopped
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2115076507.000001D6FB304000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.HV Host ServiceHvHostStoppedl
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1903453070.000001E3222D0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2120810707.000001D6FC4AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FA47000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service0
Source: svchost.exe, 00000004.00000002.2519434395.0000023AC1C64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000002C.00000002.2517947360.000002145FC3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMware20,1NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dnSS @
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2118515060.000001D6FC42A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServicevmicheartbeatvmicheartbeatStoppedI
Source: rundll32.exe, 0000000B.00000002.1348585728.0000000002F82000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2517237285.0000021E9842B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1517127669.0000000002C75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1514310578.0000000002C74000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2561782268.00000262ECB2A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1904166583.000001E32236A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2374985635.0000026AE0C20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 0000002C.00000002.2520226491.000002145FCCF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk2.06000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
Source: svchost.exe, 0000002C.00000002.2517381036.000002145FC13000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk6000C298128B8C02A71A2474AEB5F3DC0VMwareVirtual disk
Source: svchost.exe, 00000004.00000002.2519113210.0000023AC1C4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1888418091.000001E3091A5000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2118125342.000001D6FC400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides a platform for communication between the virtual machine and the operating system running on the physical computer.Hyper-V Remote Desktop Virtualization ServicevmicrdvStopped
Source: svchost.exe, 00000004.00000002.2518438117.0000023AC1C2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svchost.exe, 00000004.00000002.2518438117.0000023AC1C2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1903453070.000001E3222D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network.Hyper-V PowerShell Direct ServicevmicvmsessionStopped
Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1843120416.00000195FEEB2000.00000002.00000001.01000000.0000001F.sdmp, AgentPackageMonitoring.exe.22.dr	Binary or memory string: get_IsVirtualMachine
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2120810707.000001D6FC4AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.Hyper-V Guest Service InterfacevmicguestinterfaceStopped
Source: ISRT.dll.50.dr	Binary or memory string: _GetVirtualMachineType
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2122716528.000001D6FC601000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSFT_PhysicalDisk{1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\SPACES_PhysicalDisk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{3c527940-1853-195e-fb1a-27cdb1f80e4a}"6000C298128B8C02A71A2474AEB5F3DCVMware Virtual diskVMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1903453070.000001E3222D0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2120810707.000001D6FC4AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FA47000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Time Synchronization Service0
Source: svchost.exe, 00000004.00000002.2519434395.0000023AC1C64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000004.00000002.2519434395.0000023AC1C64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000004.00000002.2517378314.0000023AC1C02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 0000002C.00000002.2520226491.000002145FCCF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219SetPropValue.PhysicalLocation("PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0");
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2120810707.000001D6FC4AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceSynchronizes the system time of this virtual machine with the system time of the physical computer.Hyper-V Time Synchronization ServicevmictimesyncStoppedo6
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FA47000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service0
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1906020061.000001E32239A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: re Virtual diskVMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
Source: svchost.exe, 0000002C.00000002.2519348537.000002145FCC2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk2.06000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 006000C298128B8C02A71A2474AEB5F3DCubl
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D680083000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: !Hyper-V PowerShell Direct Service
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2118125342.000001D6FC400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.Hyper-V Data Exchange ServicevmickvpexchangeStopped
Source: AteraAgent.exe, 00000016.00000002.2010230473.000001BCA82A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Code function: 42_2_00007FFB028C7B4C __crtCaptureCurrentContext,IsDebuggerPresent,__crtUnhandledException,

42_2_00007FFB028C7B4C

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Code function: 42_2_00007FFB0290AFB0 OutputDebugStringA,GetProcessHeap,OutputDebugStringA,GetLastError,lstrlenW,HeapAlloc,OutputDebugStringA,GetEnvironmentVariableW,OutputDebugStringA,GetLastError,OutputDebugStringA,GetModuleFileNameW,lstrlenW,OutputDebugStringA,lstrcatW,lstrcatW,lstrcatW,GetFileAttributesW,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,WinVerifyTrust,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetEnvironmentVariableW,OutputDebugStringA,GetCurrentThreadId,GetCurrentProcessId,wsprintfW,GetEnvironmentVariableW,SetEnvironmentVariableW,_errno,_errno,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetLastError,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,HeapFree,_snprintf,OutputDebugStringA,

42_2_00007FFB0290AFB0

Contains functionality to dynamically determine API calls

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

42_2_00007FFB028D1910

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

42_2_00007FFB0290AFB0

Enables debug privileges

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Code function: 42_2_00007FFB028CACD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

42_2_00007FFB028CACD4

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 40.119.152.241 443

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="contato@agiagro.com.br" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000MmQV4IAN" /AgentId="69d31729-b40a-4033-aac0-eb6fc5db2da4"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "d17e2baf-c6e6-4c76-82cc-8f8fe3405907" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "8fcb6d3c-d337-43d4-afb7-ac811e04c487" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "f0d01c4a-6356-4ebf-9772-e6821cee1b63" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "6c2f305d-73a5-47a5-9074-00ebd014d59f" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIn0=" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "946a9a47-9b54-413f-b7db-d3937ecf2585" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "6b80f9c0-5b9a-4e7b-bfc9-0932c0402886" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Process created: C:\Windows\Temp\SplashtopStreamer.exe "C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1
Source: C:\Windows\Temp\SplashtopStreamer.exe	Process created: C:\Windows\Temp\unpack\PreVerCheck.exe "C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=1
Source: C:\Windows\Temp\unpack\PreVerCheck.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Uses taskkill to terminate processes

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="contato@agiagro.com.br" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000mmqv4ian" /agentid="69d31729-b40a-4033-aac0-eb6fc5db2da4"
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "d17e2baf-c6e6-4c76-82cc-8f8fe3405907" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000mmqv4ian
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "8fcb6d3c-d337-43d4-afb7-ac811e04c487" agent-api.atera.com/production 443 or8ixli90mf "identified" 001q300000mmqv4ian
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "f0d01c4a-6356-4ebf-9772-e6821cee1b63" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui" 001q300000mmqv4ian
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "6c2f305d-73a5-47a5-9074-00ebd014d59f" agent-api.atera.com/production 443 or8ixli90mf "install eyjsbw1db2rlijoiafpdrezqaes3nw1kin0=" 001q300000mmqv4ian
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "946a9a47-9b54-413f-b7db-d3937ecf2585" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q300000mmqv4ian
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "6b80f9c0-5b9a-4e7b-bfc9-0932c0402886" agent-api.atera.com/production 443 or8ixli90mf "generalinfo" 001q300000mmqv4ian
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="contato@agiagro.com.br" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000mmqv4ian" /agentid="69d31729-b40a-4033-aac0-eb6fc5db2da4"	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "d17e2baf-c6e6-4c76-82cc-8f8fe3405907" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000mmqv4ian
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "8fcb6d3c-d337-43d4-afb7-ac811e04c487" agent-api.atera.com/production 443 or8ixli90mf "identified" 001q300000mmqv4ian
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "f0d01c4a-6356-4ebf-9772-e6821cee1b63" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui" 001q300000mmqv4ian
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "6c2f305d-73a5-47a5-9074-00ebd014d59f" agent-api.atera.com/production 443 or8ixli90mf "install eyjsbw1db2rlijoiafpdrezqaes3nw1kin0=" 001q300000mmqv4ian
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "946a9a47-9b54-413f-b7db-d3937ecf2585" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q300000mmqv4ian
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "6b80f9c0-5b9a-4e7b-bfc9-0932c0402886" agent-api.atera.com/production 443 or8ixli90mf "generalinfo" 001q300000mmqv4ian

Source: MSI58CE.tmp.6.dr	Binary or memory string: ?OPTYPE_PROGMAN_FIELDSWWW
Source: MSI58CE.tmp.6.dr	Binary or memory string: ISLOG_VERSION_INFO..\..\..\Shared\LogServices2\LogDB.cppOPTYPE_PROGMANISLOGDB_USER_PROPERTIES4

Contains functionality to query CPU information (cpuid)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Code function: 42_2_00007FFB028C739C cpuid

42_2_00007FFB028C739C

Queries the product ID of Windows

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIEF9A.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIEF9A.tmp-\AlphaControlAgentInstallation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIF846.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIF846.tmp-\AlphaControlAgentInstallation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIF846.tmp-\Newtonsoft.Json.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIC3D.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIC3D.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI30E1.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI30E1.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI30E1.tmp-\Newtonsoft.Json.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Code function: 42_2_00007FFB028CCC04 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

42_2_00007FFB028CCC04

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Code function: 42_2_00007FFB028C85D4 _lock,_get_daylight,_get_daylight,_get_daylight,___lc_codepage_func,free,_malloc_crt,_invoke_watson,free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,_invoke_watson,

42_2_00007FFB028C85D4

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATE

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 00000007.00000002.2520461985.000001F24B902000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000007.00000002.2520461985.000001F24B902000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Adds / modifies Windows certificates

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct

Remote Access Functionality

Yara detected AteraAgent

Source: Yara match	File source: 26.2.AgentPackageAgentInformation.exe.1e308250000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.AgentPackageSTRemote.exe.26ac7a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.AgentPackageMonitoring.exe.195feeb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.0.AgentPackageMonitoring.exe.195fea10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.AteraAgent.exe.21ec66a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.AgentPackageAgentInformation.exe.1e307e90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.1436215584.0000021EC8419000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1888418091.000001E30913B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1434933315.0000021EC68E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2014420654.000001BCA8670000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2015601609.000001BCA86F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.00000262804C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1957749611.00000009D90F5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2348422967.0000026AC844B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1768466740.000001594FFA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.00000262807F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1436215584.0000021EC841C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2091433088.000001D68059D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2561782268.00000262ECB0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1892336256.000001E309D5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2374985635.0000026AE0CBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2315188935.0000026AC7C80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FCAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2557101634.00000262EBB6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1845105826.00000195FFC08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1768377027.000001594FDD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1768377027.000001594FDDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1841036943.0000019598B76000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FA47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2557101634.00000262EBB30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2315188935.0000026AC7CCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.00000262805DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC9001C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1350402891.0000000004C14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1841781096.00000195FEB9D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FFC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1664077063.0000025D43D9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2564491155.00000262ECE90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.00000262808D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1350402891.0000000004B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1835216098.0000019580001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2010230473.000001BCA8260000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2132278121.00007FFB22750000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.0000026280001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1660963183.00007FFB22750000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1436215584.0000021EC84F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.000002628087C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1654927825.000001E307F90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1891720930.000001E309440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1888418091.000001E309120000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2315188935.0000026AC7C40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1962237945.000001BC8F41B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1654927825.000001E307FD1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1766996060.0000019DFDC10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2115076507.000001D6FB302000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1365685073.0000000003FA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000003.2053399123.00000138EEFD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1842672350.00000195FECF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.00000262808B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FE0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1841781096.00000195FEB1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1843120416.00000195FEEB2000.00000002.00000001.01000000.0000001F.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1434933315.0000021EC68AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2091433088.000001D680073000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2115076507.000001D6FB2C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2561782268.00000262ECB8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1892336256.000001E309D8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1436215584.0000021EC8444000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2561782268.00000262ECB2A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2575429878.00007FFB22750000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC90158000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2117470713.000001D6FB5F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2559992656.00000262EBE20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2348422967.0000026AC82D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FD28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1297756832.0000000004CDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2374985635.0000026AE0C3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2115076507.000001D6FB2BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.2290862731.0000000000750000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1892336256.000001E309CC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2091433088.000001D680001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FE9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1888418091.000001E3091A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1656982282.000001E3087A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000003.2004577350.00000138EF120000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1664750521.0000025D44623000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1654927825.000001E30801D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1436215584.0000021EC850C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1664077063.0000025D43DC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1840870225.0000019598967000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2556677866.00000262EB9C0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2557101634.00000262EBBBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2564491155.00000262ECF23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1434933315.0000021EC68C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1937563309.00007FFB22750000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.0000026280575000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1901770604.000001E322220000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2015601609.000001BCA86FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1906238453.000001E3224A3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1525650157.00000000047E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1434933315.0000021EC6880000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.000002628078B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1436215584.0000021EC84C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.0000026280510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1435440015.0000021EC6A70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1841781096.00000195FEB50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1845105826.00000195FFBF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.000002628064E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2014420654.000001BCA86AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC90028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FDC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1962237945.000001BC8F3CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1437477207.0000021EE0C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1434933315.0000021EC6910000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1664750521.0000025D445B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2121346286.000001D6FC4F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1892336256.000001E309D5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1841740985.00000195FEB00000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1892336256.000001E309D8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1664077063.0000025D43D7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2374985635.0000026AE0C20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1768377027.000001594FDF3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1840909645.0000019598B65000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2115076507.000001D6FB304000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2115076507.000001D6FB280000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1698361399.000001594FFC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.00000262807F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1866889823.00007FFB02A59000.00000004.00000001.01000000.0000001E.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1892336256.000001E309D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1436215584.0000021EC844A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1664039020.0000025D43D50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FD67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1436069912.0000021EC8320000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1525650157.0000000004741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1303253528.00000000048CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2053895683.00000138EEFB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1656424184.000001E3081E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1656982282.000001E308793000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1664750521.0000025D44633000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2348422967.0000026AC8348000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1444741920.00007FFB0B840000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2032625355.00007FFB22750000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1835216098.00000195805B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2512577831.000000F44E5C5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1892336256.000001E309BF3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1434933315.0000021EC68A3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2124094453.000001D6FC699000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FA74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1439568660.0000021EE0EB2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.2290718837.0000000000550000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.0000026280578000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.1383292218.0000021EC66A2000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FFFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1664077063.0000025D43D60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2118125342.000001D6FC400000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1962237945.000001BC8F390000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2053895683.00000138EEFBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1892336256.000001E309B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1960487121.000001BC8F1D0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.000002628096D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1961117785.000001BC8F310000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1654927825.000001E307FD4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1436215584.0000021EC8391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1841781096.00000195FEB10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.0000026280064000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2091433088.000001D6805E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2053895683.00000138EEFD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2091433088.000001D6805E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.0000026280816000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1901770604.000001E322252000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.00000262808BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2015601609.000001BCA86EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1892336256.000001E309D1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.0000026280651000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1656982282.000001E308721000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2054248515.00000138EF100000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1656716822.000001E308252000.00000002.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2564491155.00000262ECF11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2564491155.00000262ECF41000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2014420654.000001BCA869B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1888418091.000001E30915B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2010230473.000001BCA833C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2557101634.00000262EBB8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.1623145179.000001E307E92000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2315188935.0000026AC7C65000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2347741518.0000026AC7F30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2091433088.000001D680047000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.1719532308.0000026AC7A52000.00000002.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1436215584.0000021EC8442000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1443441000.00007FFAAB614000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FBB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8F9F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1903528454.000001E3222F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1449338023.000000000444C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2348422967.0000026AC84D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC9005B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1892336256.000001E309DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2091433088.000001D680083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2091433088.000001D6801D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AteraAgent.exe PID: 2020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AteraAgent.exe PID: 1912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 4484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 5192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AteraAgent.exe PID: 6120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 2092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 4204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cscript.exe PID: 4472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageSTRemote.exe PID: 2992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageMonitoring.exe PID: 7076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SplashtopStreamer.exe PID: 5112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 6804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 4788, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF2237F4E9D297A014.TMP, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFF969F38483E27E5E.TMP, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI30E1.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF03125EAE88006211.TMP, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF6F58E4A8AF7C3683.TMP, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI145C.tmp, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSIC3D.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSIF846.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\System32\InstallUtil.InstallLog, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFEBD01078416FA7FA.TMP, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFA995A233DF6BCD2A.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFC953259130AC3042.TMP, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF3DD454460BE2E1AB.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSIEF9A.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
Source: Yara match	File source: C:\Config.Msi\67ee34.rbs, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.35_(x64)_20241025105223_000_dotnet_runtime_6.0.35_win_x64.msi.log, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, type: DROPPED

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Code function: 42_2_00007FFB0290B9F0 GetModuleHandleW,OutputDebugStringA,GetProcAddress,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,GetModuleHandleW,OutputDebugStringA,GetLastError,GetProcAddress,OutputDebugStringA,OutputDebugStringA,CorBindToRuntimeEx,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,OutputDebugStringA,_snprintf,OutputDebugStringA,

42_2_00007FFB0290B9F0

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
40.119.152.241	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	true
4.245.163.56	unknown	United States	3356	LEVEL3US	false
13.35.58.89	unknown	United States	16509	AMAZON-02US	false
35.157.63.229	unknown	United States	16509	AMAZON-02US	false
13.35.58.124	unknown	United States	16509	AMAZON-02US	false
20.101.57.9	unknown	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false
35.71.184.3	unknown	United States	237	MERIT-AS-14US	false
199.232.214.172	unknown	United States	54113	FASTLYUS	false
192.229.221.95	unknown	United States	15133	EDGECASTUS	false
162.159.36.2	unknown	United States	13335	CLOUDFLARENETUS	false
199.232.210.172	unknown	United States	54113	FASTLYUS	false

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: ALVARA-072.msi

ReversingLabs: Detection: 23%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.1% probability

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028D4BC0 CryptAcquireContextW,GetLastError,CryptReleaseContext,CryptReleaseContext,CryptReleaseContext,	42_2_00007FFB028D4BC0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028D4E20 CryptCreateHash,GetLastError,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptEncrypt,GetLastError,CryptDecrypt,GetLastError,CryptDestroyKey,CryptDestroyHash,	42_2_00007FFB028D4E20
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028D4DE0 CryptReleaseContext,	42_2_00007FFB028D4DE0

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Http.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Numerics.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Serialization.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.Primitives.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Configuration.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Intrinsics.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\msquic.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.Client.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Primitives.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-interlocked-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Sockets.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceModel.Web.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceProcess.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encodings.Web.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\WindowsBase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-debug-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.AccessControl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.DriveInfo.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-localization-l1-2-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Channels.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebProxy.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Expressions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.MemoryMappedFiles.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Primitives.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.AccessControl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-stdio-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.TypeConverter.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Numerics.Vectors.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.ILGeneration.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Primitives.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ObjectModel.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Xml.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\dbgshim.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l2-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.HttpListener.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Formats.Asn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Cng.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-timezone-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Json.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XDocument.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.Lightweight.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscorlib.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebClient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.Linq.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-string-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XPath.XDocument.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordbi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l1-2-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.InteropServices.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Immutable.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Extensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.NetworkInformation.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.UnmanagedMemoryStream.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.TraceSource.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-environment-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-2-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-heap-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.IsolatedStorage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-util-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-runtime-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Mail.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Ping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Claims.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Console.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\createdump.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.DataAnnotations.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.ZipFile.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Process.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.HttpUtility.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-memory-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.Win32.Primitives.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.DiagnosticSource.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebHeaderCollection.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Dynamic.Runtime.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Requests.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-conio-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Extensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.Extensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.VisualBasic.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\hostpolicy.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Formatters.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Transactions.Local.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\.version	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Drawing.Primitives.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clrjit.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.ReaderWriter.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Dataflow.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Annotations.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clretwrc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Parallel.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Memory.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-math-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.DiaSymReader.Native.amd64.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.NonGeneric.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.Extensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Tools.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.TypeExtensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-time-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Linq.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.DataContractSerialization.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Handles.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.Reader.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.Native.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ValueTuple.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.NETCore.App.runtimeconfig.json	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Metadata.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-datetime-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Data.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.CSharp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.ResourceManager.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XmlSerializer.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.NETCore.App.deps.json	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Primitives.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Csp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-private-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.OpenSsl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore_amd64_amd64_6.0.3524.45918.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Json.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.AccessControl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Quic.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.StackTrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.Windows.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\ucrtbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Encoding.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Queryable.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Windows.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Overlapped.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.CodePages.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscorrc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.DispatchProxy.dll	Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\InstallUtil.InstallLog
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\license.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\license.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\license.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\license.txt	Jump to behavior

Source:	Binary string: C:\CodeBases\isdev\Redist\Language Independent\i386\ISSetup.pdb source: MSI58CE.tmp.6.dr
Source:	Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 0000002A.00000002.1846265525.00000195FFCE2000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 00000014.00000000.1383292218.0000021EC66A2000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 0000001A.00000002.1656716822.000001E308252000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: c:\winddk\7600.16385.1\src\setup\difxapi\difxcmd\objfre_win7_amd64\amd64\DIFxCmd.pdb source: DIFxCmd64.exe0.6.dr
Source:	Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 0000002A.00000002.1853799028.00000195FFDA2000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: d:\svn\sr01\tim\dev\win32\stvideo\mirror\objfre_win7_x86\i386\stmirror.pdbx source: stmirror.dll.6.dr
Source:	Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 0000002A.00000002.1854313005.00000195FFE12000.00000002.00000001.01000000.00000025.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.InteropServices\4.1.2.0\System.Runtime.InteropServices.pdb source: System.Runtime.InteropServices.dll.30.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.InteropServices\4.1.2.0\System.Runtime.InteropServices.pdbH5b5 T5_CorDllMainmscoree.dll source: System.Runtime.InteropServices.dll.30.dr
Source:	Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 0000002A.00000002.1843534702.00000195FF392000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.ReaderWriter\4.1.1.0\System.Xml.ReaderWriter.pdb source: System.Xml.ReaderWriter.dll.30.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net6.0\System.Diagnostics.DiagnosticSource.pdb source: System.Diagnostics.DiagnosticSource.dll4.30.dr
Source:	Binary string: c:\winddk\7600.16385.1\src\setup\difxapi\difxcmd\objfre_win7_amd64\amd64\DIFxCmd.pdbH source: DIFxCmd64.exe0.6.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 0000000A.00000003.1297756832.0000000004CDE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000444C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\21\obj\Microsoft.ApplicationInsights\Release\src\Microsoft.ApplicationInsights\net45\Microsoft.ApplicationInsights.pdb source: Microsoft.ApplicationInsights.dll3.30.dr
Source:	Binary string: D:\A\_work\39\s\bin\obj\Windows_NT.AnyCPU.Release\System.Runtime.InteropServices.RuntimeInformation\net45\System.Runtime.InteropServices.RuntimeInformation.pdb source: System.Runtime.InteropServices.RuntimeInformation.dll.22.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Extensions\net6.0-Release\System.Reflection.Extensions.pdb source: System.Reflection.Extensions.dll.6.dr
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 00000014.00000000.1383292218.0000021EC66A2000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Handles\net6.0-Release\System.Runtime.Handles.pdb source: System.Runtime.Handles.dll.6.dr
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: api-ms-win-core-console-l1-1-0.dll.6.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Requests\4.0.11.0\System.Net.Requests.pdbX)r) d)_CorDllMainmscoree.dll source: System.Net.Requests.dll.30.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: api-ms-win-core-util-l1-1-0.dll.6.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 00000016.00000002.2018950710.000001BCA8AB2000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 00000016.00000002.2018950710.000001BCA8AB2000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1855704329.00000195FFEF2000.00000002.00000001.01000000.00000026.sdmp, Newtonsoft.Json.dll.11.dr
Source:	Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 0000002A.00000002.1849997542.00000195FFD62000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: System.Private.Xml.ni.pdb source: System.Private.Xml.dll.6.dr
Source:	Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 0000002A.00000002.1854313005.00000195FFE12000.00000002.00000001.01000000.00000025.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 0000001A.00000000.1623145179.000001E307E92000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 0000002A.00000002.1846265525.00000195FFCE2000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: d:\slave\workspace\GIT_WIN_SRS_Formal\Source\irisserver\Release\SRUnPackFile.pdb source: SplashtopStreamer.exe, 0000002F.00000000.1908546863.000000000042E000.00000002.00000001.01000000.00000027.sdmp, SplashtopStreamer.exe, 0000002F.00000002.2290517618.000000000042E000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000A.00000003.1297756832.0000000004CDE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000444C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.EnvironmentVariables/Release/net6.0/Microsoft.Extensions.Configuration.EnvironmentVariables.pdbSHA256 source: Microsoft.Extensions.Configuration.EnvironmentVariables.dll.30.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XDocument\net6.0-Release\System.Xml.XDocument.pdbt+ source: System.Xml.XDocument.dll.6.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1658228362.000001E320FA2000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2372308158.0000026AE0B70000.00000002.00000001.01000000.0000002C.sdmp
Source:	Binary string: d:\slave\workspace\GIT_WIN_SRS_Formal\Source\irisserver\Release\PreVerCheck.pdb source: PreVerCheck.exe, 00000030.00000000.1951833191.0000000000B83000.00000002.00000001.01000000.00000028.sdmp, PreVerCheck.exe, 00000030.00000002.2274094246.0000000000B83000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XmlDocument\4.0.3.0\System.Xml.XmlDocument.pdb source: System.Xml.XmlDocument.dll.30.dr
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.EnvironmentVariables/Release/net6.0/Microsoft.Extensions.Configuration.EnvironmentVariables.pdb source: Microsoft.Extensions.Configuration.EnvironmentVariables.dll.30.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1658228362.000001E320FA2000.00000002.00000001.01000000.0000001B.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2372308158.0000026AE0B70000.00000002.00000001.01000000.0000002C.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1855704329.00000195FFEF2000.00000002.00000001.01000000.00000026.sdmp, Newtonsoft.Json.dll.11.dr
Source:	Binary string: d:\svn\sr01\tim\dev\win32\stvideo\mirror\objfre_win7_x86\i386\stmirror.pdb source: stmirror.dll.6.dr
Source:	Binary string: t.pdbpdb source: AteraAgent.exe, 00000016.00000002.2010230473.000001BCA833C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe.22.dr
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: ALVARA-072.msi
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Globalization.Extensions\net6.0-Release\System.Globalization.Extensions.pdb source: System.Globalization.Extensions.dll.6.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 0000000A.00000003.1297756832.0000000004CDE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000444C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 0000002A.00000002.1843534702.00000195FF392000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Security.Cryptography.Algorithms/netfx\System.Security.Cryptography.Algorithms.pdb source: System.Security.Cryptography.Algorithms.dll.30.dr
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 0000001A.00000002.1656716822.000001E308252000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: W.pdb$Gs0 source: PreVerCheck.exe, 00000030.00000002.2274351905.0000000000B95000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XDocument\net6.0-Release\System.Xml.XDocument.pdb source: System.Xml.XDocument.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbcccGCTL source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: api-ms-win-core-console-l1-1-0.dll.6.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Requests\4.0.11.0\System.Net.Requests.pdb source: System.Net.Requests.dll.30.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Principal\4.0.1.0\System.Security.Principal.pdb source: System.Security.Principal.dll.30.dr
Source:	Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 0000002A.00000002.1866616915.00007FFB02A1A000.00000002.00000001.01000000.0000001E.sdmp, SQLite.Interop.dll.22.dr
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 00000014.00000002.1439315934.0000021EE0D02000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net6.0\System.Diagnostics.DiagnosticSource.pdbSHA256 source: System.Diagnostics.DiagnosticSource.dll4.30.dr
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 00000014.00000002.1439315934.0000021EE0D02000.00000002.00000001.01000000.00000012.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECE90000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 0000002A.00000002.1853799028.00000195FFDA2000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: ALVARA-072.msi
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Xml\net6.0-windows-Release\System.Private.Xml.pdb source: System.Private.Xml.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Extensions\net6.0-Release\System.Reflection.Extensions.pdbD)^) P)_CorDllMainmscoree.dll source: System.Reflection.Extensions.dll.6.dr

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File opened: d:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\lib\
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\node_modules\
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\node_modules\async\lib\
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\node_modules\async\
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB581873h	20_2_00007FFAAB58172D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB581FFFh	20_2_00007FFAAB581FAC
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB581A44h	20_2_00007FFAAB581A34
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB584ECBh	22_2_00007FFAAB584C41
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB581873h	22_2_00007FFAAB580C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB581A44h	22_2_00007FFAAB580C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB581FFFh	22_2_00007FFAAB580C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB58227Bh	22_2_00007FFAAB580C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB59B982h	22_2_00007FFAAB59B81C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB59B982h	22_2_00007FFAAB59B92F
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB584ECBh	22_2_00007FFAAB584DC8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB581FFFh	22_2_00007FFAAB581EB6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB594ECBh	30_2_00007FFAAB594C41
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB591873h	30_2_00007FFAAB590C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB591A44h	30_2_00007FFAAB590C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB591FFFh	30_2_00007FFAAB590C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB59227Bh	30_2_00007FFAAB590C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB5BDB18h	30_2_00007FFAAB5BD8BB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB5AC1A2h	30_2_00007FFAAB5ABE46
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB5BD45Fh	30_2_00007FFAAB5BD3BB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB594ECBh	30_2_00007FFAAB594DC8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB591FFFh	30_2_00007FFAAB591EB6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB5AC1A2h	30_2_00007FFAAB5ABE50
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB7B2EE0h	30_2_00007FFAAB7B2C5C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFAAB7B4859h	30_2_00007FFAAB7B4754
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then dec eax	30_2_00007FFAAB7B1FB5

Networking

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 40.119.152.241 443

Enables network access during safeboot for specific services

Source: C:\Windows\SysWOW64\msiexec.exe

Registry value created: NULL Service

Yara detected Generic Downloader

Source: Yara match	File source: 26.0.AgentPackageAgentInformation.exe.1e307e90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\choco.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED

Source: AteraAgent.exe, 0000001E.00000002.2521265011.0000026280651000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEADREMOTE/6.0/AGENTPACKAGEADREMOTE.ZIP
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEAGENTINFORMATION/37.9/AGENTPACKAGEAGENTINFORMATI
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGEMONITORING/37.8/AGENTPACKAGEMONITORING.ZIP
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: HTTPS://PS.ATERA.COM/AGENTPACKAGESNET45/AGENTPACKAGESTREMOTE/23.4/AGENTPACKAGESTREMOTE.ZIP
Source: AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC8425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://a6dc35606b2c6816e.awsglobalaccelerator.com
Source: AteraAgent.exe, 00000014.00000000.1383292218.0000021EC66A2000.00000002.00000001.01000000.00000010.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8F9F1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280001000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://acontrol.atera.com/
Source: rundll32.exe, 0000000B.00000002.1350402891.0000000004C35000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1525650157.0000000004805000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1656982282.000001E30884F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808D3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309D5F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309DB2000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309D21000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.0000019580582000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D68059D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://agent-api.atera.com
Source: rundll32.exe, 0000000B.00000002.1350402891.0000000004C35000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1525650157.0000000004805000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1656982282.000001E30884F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808D3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309D5F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309DB2000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309D21000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.0000019580582000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D68059D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://atera-agent-api-eu.westeurope.cloudapp.azure.com
Source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCert
Source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredG
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, ALVARA-072.msi, ISRT.dll.50.dr, swresample-2.dll.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2019752036.000001BCA8BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2010230473.000001BCA8260000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2010230473.000001BCA8305000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9005B000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECE90000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF23000.00000004.00000020.00020000.00000000.sdmp, PreVerCheck.exe, 00000030.00000002.2274351905.0000000000B95000.00000002.00000001.01000000.00000028.sdmp, ALVARA-072.msi, Microsoft.ApplicationInsights.dll3.30.dr, SQLite.Interop.dll.22.dr, System.Net.Requests.dll.30.dr, System.Xml.XmlDocument.dll.30.dr, Microsoft.Extensions.Configuration.EnvironmentVariables.dll.30.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, ALVARA-072.msi, ISRT.dll.50.dr, swresample-2.dll.6.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTr
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FCAA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9001C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8738000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC90158000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262805DE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262807F8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280651000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1439568660.0000021EE0EE2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1436215584.0000021EC844A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2019752036.000001BCA8BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2010230473.000001BCA8260000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8738000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2018336227.000001BCA8862000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86FB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2014420654.000001BCA86AA000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFFE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9005B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECEFE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECE90000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF23000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF41000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC84C3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC84D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStam
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86FB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9005B000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF23000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF41000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC84C3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC8443000.00000004.00000800.00020000.00000000.sdmp, PreVerCheck.exe, 00000030.00000002.2274351905.0000000000B95000.00000002.00000001.01000000.00000028.sdmp, ALVARA-072.msi, Microsoft.ApplicationInsights.dll3.30.dr, SQLite.Interop.dll.22.dr, System.Net.Requests.dll.30.dr, System.Xml.XmlDocument.dll.30.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: AteraAgent.exe, 00000016.00000002.2019752036.000001BCA8BC0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.cr
Source: AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000002.1904346626.000002B9A6BC8000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1859138989.000002B9A6BCB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2010230473.000001BCA8260000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8738000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2014420654.000001BCA86AA000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2010230473.000001BCA82F4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2014420654.000001BCA869B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9005B000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1658449420.000001E3210E2000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1658449420.000001E3210BB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2561782268.00000262ECB2A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2561782268.00000262ECB8E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2561782268.00000262ECAED000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, ALVARA-072.msi	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: stmirror.dll.6.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: AteraAgent.exe, 0000001E.00000002.2561782268.00000262ECB8E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.B
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2019752036.000001BCA8BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2010230473.000001BCA8260000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2010230473.000001BCA8305000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9005B000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECE90000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF23000.00000004.00000020.00020000.00000000.sdmp, PreVerCheck.exe, 00000030.00000002.2274351905.0000000000B95000.00000002.00000001.01000000.00000028.sdmp, ALVARA-072.msi, Microsoft.ApplicationInsights.dll3.30.dr, SQLite.Interop.dll.22.dr, System.Net.Requests.dll.30.dr, System.Xml.XmlDocument.dll.30.dr, Microsoft.Extensions.Configuration.EnvironmentVariables.dll.30.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, ALVARA-072.msi, ISRT.dll.50.dr, swresample-2.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, ALVARA-072.msi	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0BE6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0C1A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1439568660.0000021EE0EB2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2014420654.000001BCA8670000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86F1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8738000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1439568660.0000021EE0EE2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1436215584.0000021EC844A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2019752036.000001BCA8BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FCAA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9001C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2010230473.000001BCA8260000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8738000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC90158000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2018336227.000001BCA8862000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86FB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2014420654.000001BCA86AA000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFFE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9005B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECEFE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262805DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: AteraAgent.exe, 00000014.00000002.1439568660.0000021EE0EB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlA
Source: AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8738000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlU
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlf
Source: AteraAgent.exe, 00000016.00000002.1962237945.000001BC8F41B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlhttp://crl4.digicert.co
Source: AteraAgent.exe, 00000016.00000002.2014420654.000001BCA8670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crli
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlx.
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86FB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9005B000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF23000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF41000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC84C3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC8443000.00000004.00000800.00020000.00000000.sdmp, PreVerCheck.exe, 00000030.00000002.2274351905.0000000000B95000.00000002.00000001.01000000.00000028.sdmp, ALVARA-072.msi, Microsoft.ApplicationInsights.dll3.30.dr, SQLite.Interop.dll.22.dr, System.Net.Requests.dll.30.dr, System.Xml.XmlDocument.dll.30.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRoot
Source: AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: System.Runtime.InteropServices.dll.30.dr, swresample-2.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlK
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlL
Source: AteraAgent.exe, 00000014.00000002.1439568660.0000021EE0E90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlQ
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, ALVARA-072.msi	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0BE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/l
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, ALVARA-072.msi, ISRT.dll.50.dr, swresample-2.dll.6.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0C3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlrlCache
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0C3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedRootG4.crlocalLow
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0BE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/;
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, ALVARA-072.msi, ISRT.dll.50.dr, swresample-2.dll.6.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AteraAgent.exe, 00000016.00000002.2014420654.000001BCA8670000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FCAA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86F1000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9001C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8738000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC90158000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262805DE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECE90000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262807F8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280651000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1439568660.0000021EE0EE2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1436215584.0000021EC844A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2019752036.000001BCA8BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2010230473.000001BCA8260000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8738000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2018336227.000001BCA8862000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86FB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2014420654.000001BCA86AA000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFFE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9005B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECEFE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECE90000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF23000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF41000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC84C3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC84D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8738000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlS
Source: AteraAgent.exe, 00000014.00000002.1439568660.0000021EE0EB2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2014420654.000001BCA8670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlU
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0C1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlk
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0C1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlr
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0C1A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlz
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, ALVARA-072.msi	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, ALVARA-072.msi, ISRT.dll.50.dr, swresample-2.dll.6.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0C3F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/
Source: AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8738000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en(
Source: AteraAgent.exe, 00000016.00000002.2014420654.000001BCA8670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: AteraAgent.exe, 00000016.00000002.2014420654.000001BCA86AA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabD
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1899940408.000002B9A6157000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1899940408.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1899940408.000002B9A612E000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000002.1903388695.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000002.1903388695.000002B9A6157000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000002.1903191367.000002B9A6133000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1962237945.000001BC8F41B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: SIHClient.exe, 00000015.00000002.1903388695.000002B9A61ED000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1900768839.000002B9A61ED000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1899940408.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000002.1903388695.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1c0d79d
Source: SIHClient.exe, 00000015.00000003.1899940408.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000002.1903388695.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?8ab881d
Source: SIHClient.exe, 00000015.00000003.1899940408.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000002.1903388695.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?b4935a9
Source: AteraAgent.exe, 00000016.00000002.1962237945.000001BC8F41B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8738000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?f192ee6
Source: AteraAgent.exe, 00000016.00000002.2010230473.000001BCA833C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cabi
Source: SIHClient.exe, 00000015.00000003.1871209003.000002B9A6BD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/x
Source: SIHClient.exe, 00000015.00000003.1899940408.000002B9A6157000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000002.1903388695.000002B9A6157000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com:80/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?1c0d
Source: AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC8467000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://d17kmd0va0f0mp.cloudfront.net
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.000002628078B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://d25btwd9wax8gu.cloudfront.net
Source: AgentPackageAgentInformation.exe, 0000001A.00000000.1623145179.000001E307E92000.00000002.00000001.01000000.00000018.sdmp	String found in binary or memory: http://dl.google.com/googletalk/googletalk-setup.exe
Source: AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC8467000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://download.splashtop.com
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1841781096.00000195FEB9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.c
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1841781096.00000195FEB9D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://go.microsoft.ctain
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: rundll32.exe, 0000000D.00000002.1368900708.00000000025C2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://msdn.micros
Source: AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC8425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://my.splashtop.com
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1854313005.00000195FFE12000.00000002.00000001.01000000.00000025.sdmp	String found in binary or memory: http://nlog-project.org/dummynamespace/
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1854313005.00000195FFE12000.00000002.00000001.01000000.00000025.sdmp	String found in binary or memory: http://nlog-project.org/ws/
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1854313005.00000195FFE12000.00000002.00000001.01000000.00000025.sdmp	String found in binary or memory: http://nlog-project.org/ws/3
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1854313005.00000195FFE12000.00000002.00000001.01000000.00000025.sdmp	String found in binary or memory: http://nlog-project.org/ws/5
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1854313005.00000195FFE12000.00000002.00000001.01000000.00000025.sdmp	String found in binary or memory: http://nlog-project.org/ws/ILogReceiverOneWayServer/ProcessLogMessages
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1854313005.00000195FFE12000.00000002.00000001.01000000.00000025.sdmp	String found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesResponsep
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1854313005.00000195FFE12000.00000002.00000001.01000000.00000025.sdmp	String found in binary or memory: http://nlog-project.org/ws/ILogReceiverServer/ProcessLogMessagesT
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1854313005.00000195FFE12000.00000002.00000001.01000000.00000025.sdmp	String found in binary or memory: http://nlog-project.org/ws/T
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert
Source: AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8855000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8738000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86FB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: AteraAgent.exe, 00000016.00000002.2014420654.000001BCA8670000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8855000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1439568660.0000021EE0EE2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1436215584.0000021EC844A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2019752036.000001BCA8BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FCAA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9001C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2010230473.000001BCA8260000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8738000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC90158000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2018336227.000001BCA8862000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86FB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2014420654.000001BCA86AA000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFFE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9005B000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECEFE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262805DE000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000002.1904346626.000002B9A6BC8000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1859138989.000002B9A6BCB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2019752036.000001BCA8BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2010230473.000001BCA8260000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8738000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2014420654.000001BCA86AA000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2010230473.000001BCA82F4000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2014420654.000001BCA869B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9005B000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1658449420.000001E3210E2000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1658449420.000001E3210BB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2561782268.00000262ECB2A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2019752036.000001BCA8BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2010230473.000001BCA8260000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2010230473.000001BCA8305000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9005B000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECE90000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF23000.00000004.00000020.00020000.00000000.sdmp, PreVerCheck.exe, 00000030.00000002.2274351905.0000000000B95000.00000002.00000001.01000000.00000028.sdmp, ALVARA-072.msi, Microsoft.ApplicationInsights.dll3.30.dr, SQLite.Interop.dll.22.dr, System.Net.Requests.dll.30.dr, System.Xml.XmlDocument.dll.30.dr, Microsoft.Extensions.Configuration.EnvironmentVariables.dll.30.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, ALVARA-072.msi	String found in binary or memory: http://ocsp.digicert.com0K
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, ALVARA-072.msi	String found in binary or memory: http://ocsp.digicert.com0N
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, ALVARA-072.msi, ISRT.dll.50.dr, Newtonsoft.Json.dll.11.dr, swresample-2.dll.6.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86FB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9005B000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF23000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF41000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC84C3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC8443000.00000004.00000800.00020000.00000000.sdmp, PreVerCheck.exe, 00000030.00000002.2274351905.0000000000B95000.00000002.00000001.01000000.00000028.sdmp, ALVARA-072.msi, Microsoft.ApplicationInsights.dll3.30.dr, SQLite.Interop.dll.22.dr, System.Net.Requests.dll.30.dr, System.Xml.XmlDocument.dll.30.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECE90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRS
Source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECE90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com1.3.6.1.5.5.7.48.2http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com3
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0BE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0BC9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECE90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.cr
Source: AteraAgent.exe, 00000016.00000002.2010230473.000001BCA833C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: AteraAgent.exe, 00000016.00000002.2010230473.000001BCA8305000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crlL
Source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF23000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertTrustedRootG4.crlNF
Source: AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.como
Source: stmirror.dll.6.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE95000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.000002628078B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ps.atera.com
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ps.pndsn.com
Source: stmirror.dll.6.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: stmirror.dll.6.dr	String found in binary or memory: http://s2.symcb.com0
Source: AteraAgent.exe, 00000014.00000002.1436215584.0000021EC844A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org
Source: AteraAgent.exe, 00000014.00000002.1436215584.0000021EC844A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: AteraAgent.exe, 00000014.00000002.1436215584.0000021EC844A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1854313005.00000195FFE12000.00000002.00000001.01000000.00000025.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: rundll32.exe, 0000000B.00000002.1350402891.0000000004B71000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1350402891.0000000004C14000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8F9F1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1525650157.00000000047E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1525650157.0000000004741000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1656982282.000001E3087A3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280001000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309D8F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309B61000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC8348000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D6801D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: svchost.exe, 00000008.00000002.2517766907.000002260C718000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000008.00000002.2516935504.000002260BE87000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://standards.iso.org/iso/19770/-2/2009/schema.xsd
Source: stmirror.dll.6.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: stmirror.dll.6.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: stmirror.dll.6.dr	String found in binary or memory: http://sv.symcd.com0&
Source: stmirror.dll.6.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: stmirror.dll.6.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: stmirror.dll.6.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, ALVARA-072.msi	String found in binary or memory: http://wixtoolset.org
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004CDE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000444C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004CDE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000444C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/news/
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004CDE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000444C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://wixtoolset.org/releases/
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1844382186.00000195FFB42000.00000002.00000001.01000000.00000021.sdmp	String found in binary or memory: http://www.abit.com.tw/
Source: svchost.exe, 00000000.00000002.1367392212.000001FE52A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.bingmapsportal.com
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FCAA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9001C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC90158000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262805DE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262807F8000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280651000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1439568660.0000021EE0EE2000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1436215584.0000021EC844A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2019752036.000001BCA8BC0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2010230473.000001BCA8260000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA8738000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2018336227.000001BCA8862000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2015601609.000001BCA86FB000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.2014420654.000001BCA86AA000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFFE000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC9005B000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECEFE000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECE90000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: ISRT.dll.50.dr	String found in binary or memory: http://www.flexerasoftware.com0
Source: stmirror.dll.6.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: stmirror.dll.6.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: AteraAgent.exe, 00000014.00000002.1436215584.0000021EC844A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: AteraAgent.exe, 00000014.00000002.1436215584.0000021EC844A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.oh
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309D8F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309DF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.P
Source: rundll32.exe, 0000000B.00000002.1350402891.0000000004C14000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1525650157.00000000047E4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.aterD
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004CDE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1350402891.0000000004B71000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1350402891.0000000004C14000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FA8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8F9F1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1525650157.00000000047E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1525650157.0000000004741000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000444C000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1656982282.000001E3087A3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309D5F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309D8F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309D21000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309B61000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D6801D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004CDE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1350402891.0000000004B71000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1350402891.0000000004C14000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1525650157.00000000047E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1525650157.0000000004741000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000444C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309DF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Prhp
Source: AgentPackageAgentInformation.exe, 0000001A.00000002.1656982282.000001E3087A3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309D5F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309D21000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D6801D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004CDE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1350402891.0000000004B71000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1350402891.0000000004C14000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FA8000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1525650157.00000000047E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1525650157.0000000004741000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000444C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/AcknowledgeCommands
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FAA1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting
Source: AgentPackageAgentInformation.exe, 0000001A.00000002.1656982282.000001E3087A3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResult
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FA74000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FAA1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8F9F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetEnvironmentStatusP
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8F9F1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages
Source: AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/Trace
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309D8F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309D8F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309B61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/dynamic-fields/script-based
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309DF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/guiComm
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309BF3000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309DF9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/guiCommandResult
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309D5F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1892336256.000001E309D21000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D6801D4000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/recurringCommandResult
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/thresholds/69d31729-b40a-4033-aac0-eb6fc5db2da4
Source: rundll32.exe, 0000000B.00000002.1350402891.0000000004B71000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000002.1350402891.0000000004C14000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1525650157.00000000047E4000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1525650157.0000000004741000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event
Source: rundll32.exe, 0000000B.00000002.1350402891.0000000004C56000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1525650157.0000000004826000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event;
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.comPJ:
Source: Microsoft.ApplicationInsights.dll3.30.dr	String found in binary or memory: https://agent.azureserviceprofiler.net/
Source: Microsoft.ApplicationInsights.dll3.30.dr	String found in binary or memory: https://agent.azureserviceprofiler.net/p
Source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?
Source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?You
Source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed
Source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/dotnet/app-launch-failed&gui=trueShowing
Source: svchost.exe, 00000000.00000003.1366514019.000001FE52A57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367600632.000001FE52A58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: stmirror.dll.6.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: stmirror.dll.6.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: Microsoft.ApplicationInsights.dll3.30.dr	String found in binary or memory: https://dc.services.visualstudio.com/Jhttps://rt.services.visualstudio.com/Nhttps://agent.azureservi
Source: Microsoft.ApplicationInsights.dll3.30.dr	String found in binary or memory: https://dc.services.visualstudio.com/api/profiles/
Source: Microsoft.ApplicationInsights.dll3.30.dr	String found in binary or memory: https://dc.services.visualstudio.com/f
Source: svchost.exe, 00000000.00000003.1366514019.000001FE52A57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367600632.000001FE52A58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000000.00000003.1366226363.000001FE52A62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367762852.000001FE52A70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367565275.000001FE52A42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366488749.000001FE52A41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366468559.000001FE52A5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367689430.000001FE52A63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366090562.000001FE52A6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000002.1367762852.000001FE52A70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366090562.000001FE52A6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/JsonFilter/VenueMaps/data/
Source: svchost.exe, 00000000.00000003.1366514019.000001FE52A57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367600632.000001FE52A58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000000.00000003.1366148291.000001FE52A67000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000000.00000002.1367762852.000001FE52A70000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366090562.000001FE52A6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/REST/v1/Transit/Stops/
Source: svchost.exe, 00000000.00000003.1366514019.000001FE52A57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367600632.000001FE52A58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000000.00000003.1366226363.000001FE52A62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366468559.000001FE52A5A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367689430.000001FE52A63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367392212.000001FE52A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000000.00000003.1366514019.000001FE52A57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367600632.000001FE52A58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Locations
Source: svchost.exe, 00000000.00000002.1367721502.000001FE52A68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366148291.000001FE52A67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367392212.000001FE52A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000000.00000003.1366514019.000001FE52A57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367600632.000001FE52A58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000000.00000003.1366514019.000001FE52A57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367600632.000001FE52A58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000000.00000003.1366514019.000001FE52A57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367600632.000001FE52A58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000000.00000003.1366226363.000001FE52A62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367689430.000001FE52A63000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367392212.000001FE52A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Traffic/Incidents/
Source: svchost.exe, 00000000.00000002.1367565275.000001FE52A42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366488749.000001FE52A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000000.00000003.1366514019.000001FE52A57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367600632.000001FE52A58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000000.00000003.1366226363.000001FE52A62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367689430.000001FE52A63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC844B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.splashtop.com
Source: AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC844B000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC8447000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC8425000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://download.splashtop.com/csrs/Splashtop_Streamer_Win_DEPLOY_INSTALLER_v3.7.2.0.exe
Source: svchost.exe, 00000000.00000003.1366488749.000001FE52A41000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366551950.000001FE52A46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&
Source: svchost.exe, 00000000.00000002.1367392212.000001FE52A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000000.00000003.1366488749.000001FE52A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000000.00000003.1366226363.000001FE52A62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367689430.000001FE52A63000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000000.00000002.1367565275.000001FE52A42000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366488749.000001FE52A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gri?pv=1&r=
Source: svchost.exe, 00000000.00000002.1367392212.000001FE52A24000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366392855.000001FE52A5E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000000.00000003.1366514019.000001FE52A57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367600632.000001FE52A58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000000.00000003.1263751454.000001FE52A36000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/V1/MapControlConfiguration/native/
Source: svchost.exe, 00000000.00000002.1367721502.000001FE52A68000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000003.1366148291.000001FE52A67000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367392212.000001FE52A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1658228362.000001E320FA2000.00000002.00000001.01000000.0000001B.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2372308158.0000026AE0B70000.00000002.00000001.01000000.0000002C.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1855704329.00000195FFEF2000.00000002.00000001.01000000.00000026.sdmp, Newtonsoft.Json.dll.11.dr	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: Microsoft.Extensions.Configuration.EnvironmentVariables.dll.30.dr, System.Globalization.Extensions.dll.6.dr, System.Xml.XDocument.dll.6.dr, System.Reflection.Extensions.dll.6.dr, System.Runtime.Handles.dll.6.dr, System.Diagnostics.DiagnosticSource.dll4.30.dr	String found in binary or memory: https://github.com/dotnet/runtime
Source: AteraAgent.exe, 00000016.00000002.2018950710.000001BCA8AB2000.00000002.00000001.01000000.0000002A.sdmp	String found in binary or memory: https://github.com/icsharpcode/SharpZipLib
Source: AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC8348000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC8420000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://my.splashtop.com
Source: AgentPackageSTRemote.exe, 00000027.00000000.1719532308.0000026AC7A52000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: https://my.splashtop.com/csrs/win
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1855595180.00000195FFEE8000.00000002.00000001.01000000.00000025.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1854313005.00000195FFE12000.00000002.00000001.01000000.00000025.sdmp	String found in binary or memory: https://nlog-project.org/
Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe.22.dr	String found in binary or memory: https://packagesstore.blob.core.windows.net/installers/BitDefender/rmm.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280651000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/a
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/ag
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageA
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAPJ:
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FDC2000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAg
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAgePWs
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FDB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAgentI
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageMonitoring/0.40/AgentPackageMonitoring.z
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FDB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageSTRemote/2.3/AgentPackageSTRemote.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FDC2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageSTRemote/2.3/AgentPackageSTRemote.ziph
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FA47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FA47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FDB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/37.9/AgentPackageAgentInformation
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageMonitoring/37.8/AgentPackageMonitoring.ziph
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FDB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/23.4/AgentPackageSTRemote.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FDC2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageSTRemote/23.4/AgentPackageSTRemote.ziph
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FA47000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.z
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FA47000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.5/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280651000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
Source: AteraAgent.exe, 0000001E.00000002.2521265011.0000026280651000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip?vjfcGOVmNg
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FDB3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FBB9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/37.9/AgentPackageAgentInformati
Source: AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip
Source: AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zip?vjfcGO
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageHeartbeat/17.14/AgentPackageHeartbeat.zipPJ:
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageInternalPoller/23.8/AgentPackageInternalPoller.z
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip
Source: AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMarketplace/1.6/AgentPackageMarketplace.zip?vjfc
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.zip?vjfcG
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageMonitoring/37.8/AgentPackageMonitoring.ziph
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscove
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageOsUpdates/20.0/AgentPackageOsUpdates.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageProgramManagement/25.5/AgentPackageProgramManage
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalle
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FDB3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/23.4/AgentPackageSTRemote.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/23.4/AgentPackageSTRemote.zip?vjfcGOVmN
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FDC2000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSTRemote/23.4/AgentPackageSTRemote.ziph
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageSystemTools/27.5/AgentPackageSystemTools.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/29.7/AgentPackageTicketing.zip
Source: AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTicketing/29.7/AgentPackageTicketing.zip?vjfcGOV
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262800E1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageUpgradeAgent/27.2/AgentPackageUpgradeAgent.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FA47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FA47000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FDB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformation
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageMonitoring/22.0/AgentPackageMonitoring.zip
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FDB3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageSTRemote/16.0/AgentPackageSTRemote.zip
Source: AgentPackageSTRemote.exe, 00000027.00000002.2348422967.0000026AC8348000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000000.1719532308.0000026AC7A52000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exe
Source: AgentPackageSTRemote.exe, 00000027.00000000.1719532308.0000026AC7A52000.00000002.00000001.01000000.0000001C.sdmp	String found in binary or memory: https://ps.atera.com/installers/splashtop/win/SplashtopStreamer.exepUsers/Shared/Splashtop
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.comPJ:
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE9F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE95000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FF9E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE9F000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE95000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FAA1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FF9E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.0000026280064000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FBB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0d23ecbb-a7a2-4184-a8c4-0ffbd57aa78a
Source: AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=105f79d9-b6d4-4745-93f9-3790e78d1c47
Source: AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=2ef5182b-e380-4bc6-8494-9de225acfe47
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FE95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=509b9b12-9651-4c7f-b3da-14c180413b65
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FAA1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=6b180f86-e86f-427f-abfa-7e52c44e970c
Source: AteraAgent.exe, 0000001E.00000002.2521265011.0000026280064000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=6db2fbc3-30a8-44b6-bcc5-0f0d2cada185
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=a6413c82-8e99-48ec-a2d4-e6f4f0149a43
Source: AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c5af13b3-0733-40df-b53d-614184c81015
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=d3a7f0b3-a012-422d-88bd-e648955eb258
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=db6c8ef5-4254-44d9-ad48-433b42b75a5a
Source: AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/69d31729
Source: AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/subscrib
Source: AteraAgent.exe, 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/69d31729-b40a-4033-aac0
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.comPJ:
Source: Microsoft.ApplicationInsights.dll3.30.dr	String found in binary or memory: https://rt.services.visualstudio.com/p
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1853799028.00000195FFDA2000.00000002.00000001.01000000.00000024.sdmp	String found in binary or memory: https://system.data.sqlite.org/
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1854204840.00000195FFE04000.00000002.00000001.01000000.00000024.sdmp	String found in binary or memory: https://system.data.sqlite.org/X
Source: svchost.exe, 00000000.00000003.1366488749.000001FE52A41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000000.00000003.1366551950.000001FE52A46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000000.00000003.1366551950.000001FE52A46000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000000.00000002.1367392212.000001FE52A24000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000000.00000003.1366514019.000001FE52A57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367600632.000001FE52A58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000000.00000003.1366514019.000001FE52A57000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000000.00000002.1367600632.000001FE52A58000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://tiles.virtualearth.net/tiles/cmd/StreetSideBubbleMetaData?north=
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1853799028.00000195FFDA2000.00000002.00000001.01000000.00000024.sdmp	String found in binary or memory: https://urn.to/r/sds_see
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, ALVARA-072.msi, ISRT.dll.50.dr, swresample-2.dll.6.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.11.dr	String found in binary or memory: https://www.newtonsoft.com/json
Source: Newtonsoft.Json.dll.11.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1855595180.00000195FFEE8000.00000002.00000001.01000000.00000025.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1854313005.00000195FFE12000.00000002.00000001.01000000.00000025.sdmp	String found in binary or memory: https://www.nuget.org/packages/NLog.Web.AspNetCore
Source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1658228362.000001E320FA2000.00000002.00000001.01000000.0000001B.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2372308158.0000026AE0B70000.00000002.00000001.01000000.0000002C.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1855704329.00000195FFEF2000.00000002.00000001.01000000.00000026.sdmp, Newtonsoft.Json.dll.11.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: PreVerCheck.exe, 00000030.00000002.2274351905.0000000000B95000.00000002.00000001.01000000.00000028.sdmp	String found in binary or memory: https://www.openssl.org/H
Source: AgentPackageMonitoring.exe	String found in binary or memory: https://www.sqlite.org/copyright.html
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1867120506.00007FFB02A64000.00000002.00000001.01000000.0000001E.sdmp, SQLite.Interop.dll.22.dr	String found in binary or memory: https://www.sqlite.org/copyright.html2

Drops certificate files (DER)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AteraAgent
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security\AlphaAgent
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security

Reads the System eventlog

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

Creates driver files

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sys

Jump to behavior

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\67ee33.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEF9A.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF846.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC3D.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI145C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI146C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1567.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1662.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\67ee35.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\67ee35.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI30E1.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\67ee36.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC4.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI142.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{B7C5EA94-B96A-41F5-BE95-25D78B486678}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI27C.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1CEA.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI243E.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\67ee39.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\67ee39.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI531F.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI58CE.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6A63.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6E8A.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7215.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\67ee3b.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB549.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{C79F6EEC-3A2B-487D-A3B6-EDF4057B4E4B}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB6F0.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIEF9A.tmp-	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIEF9A.tmp-\AlphaControlAgentInstallation.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIEF9A.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIEF9A.tmp-\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIEF9A.tmp-\System.Management.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIEF9A.tmp-\CustomAction.config	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIF846.tmp-	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIF846.tmp-\AlphaControlAgentInstallation.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIF846.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIF846.tmp-\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIF846.tmp-\System.Management.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIF846.tmp-\CustomAction.config	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC3D.tmp-
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC3D.tmp-\AlphaControlAgentInstallation.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC3D.tmp-\Microsoft.Deployment.WindowsInstaller.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC3D.tmp-\Newtonsoft.Json.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC3D.tmp-\System.Management.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC3D.tmp-\CustomAction.config
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\InstallUtil.InstallLog
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA74182F76F15A9CF514DEF352303C95
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1A374813EDB1A6631387E414D3E73232
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1A374813EDB1A6631387E414D3E73232
Source: C:\Windows\System32\SIHClient.exe	File created: C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\TMPADF9.tmp
Source: C:\Windows\System32\SIHClient.exe	File created: C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\TMPA06.tmp
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI30E1.tmp-
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI30E1.tmp-\AlphaControlAgentInstallation.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI30E1.tmp-\Microsoft.Deployment.WindowsInstaller.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI30E1.tmp-\Newtonsoft.Json.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI30E1.tmp-\System.Management.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI30E1.tmp-\CustomAction.config
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log
Source: C:\Windows\Temp\SplashtopStreamer.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Caches
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\system32\SRC46CC.tmp
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\system32\SRC46CC.tmp

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSIEF9A.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_3_06EF7678	11_3_06EF7678
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_3_06EF0040	11_3_06EF0040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_3_042450B8	13_3_042450B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_3_042459A8	13_3_042459A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_3_04244D68	13_3_04244D68
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 20_2_00007FFAAB58C922	20_2_00007FFAAB58C922
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 20_2_00007FFAAB58BB76	20_2_00007FFAAB58BB76
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 22_2_00007FFAAB5A1C0E	22_2_00007FFAAB5A1C0E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 22_2_00007FFAAB580C58	22_2_00007FFAAB580C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 22_2_00007FFAAB59C930	22_2_00007FFAAB59C930
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 22_2_00007FFAAB5A3890	22_2_00007FFAAB5A3890
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 22_2_00007FFAAB59CE90	22_2_00007FFAAB59CE90
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 22_2_00007FFAAB591CF0	22_2_00007FFAAB591CF0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 22_2_00007FFAAB589AF2	22_2_00007FFAAB589AF2
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 22_2_00007FFAAB59CF78	22_2_00007FFAAB59CF78
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 22_2_00007FFAAB591D58	22_2_00007FFAAB591D58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 22_2_00007FFAAB796C3C	22_2_00007FFAAB796C3C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 22_2_00007FFAAB7A55D0	22_2_00007FFAAB7A55D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_3_046F7678	25_3_046F7678
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_3_046F0040	25_3_046F0040
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 26_2_00007FFAAB59047D	26_2_00007FFAAB59047D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 26_2_00007FFAAB57FA94	26_2_00007FFAAB57FA94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 26_2_00007FFAAB5778D6	26_2_00007FFAAB5778D6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 26_2_00007FFAAB571828	26_2_00007FFAAB571828
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 26_2_00007FFAAB58100A	26_2_00007FFAAB58100A
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 26_2_00007FFAAB578682	26_2_00007FFAAB578682
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 26_2_00007FFAAB5712FB	26_2_00007FFAAB5712FB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 26_2_00007FFAAB5810C0	26_2_00007FFAAB5810C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 26_2_00007FFAAB57BDB0	26_2_00007FFAAB57BDB0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 28_2_00007FFAAB5812FA	28_2_00007FFAAB5812FA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB5B3CA0	30_2_00007FFAAB5B3CA0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB590C58	30_2_00007FFAAB590C58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB5B1F94	30_2_00007FFAAB5B1F94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB5ACE90	30_2_00007FFAAB5ACE90
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB5A1D10	30_2_00007FFAAB5A1D10
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB5ACD70	30_2_00007FFAAB5ACD70
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB5B6460	30_2_00007FFAAB5B6460
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB59CC5D	30_2_00007FFAAB59CC5D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB5ACE20	30_2_00007FFAAB5ACE20
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB5A1D78	30_2_00007FFAAB5A1D78
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB5A93F6	30_2_00007FFAAB5A93F6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB5B52D3	30_2_00007FFAAB5B52D3
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB5AD388	30_2_00007FFAAB5AD388
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7B126E	30_2_00007FFAAB7B126E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7BD151	30_2_00007FFAAB7BD151
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7B9ED6	30_2_00007FFAAB7B9ED6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7BB719	30_2_00007FFAAB7BB719
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7A9E9D	30_2_00007FFAAB7A9E9D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7A943D	30_2_00007FFAAB7A943D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7B99D1	30_2_00007FFAAB7B99D1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7A6950	30_2_00007FFAAB7A6950
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7BD151	30_2_00007FFAAB7BD151
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7C10F2	30_2_00007FFAAB7C10F2
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7B8718	30_2_00007FFAAB7B8718
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7AAD61	30_2_00007FFAAB7AAD61
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB56FC5D	33_2_00007FFAAB56FC5D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB568956	33_2_00007FFAAB568956
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB56CE09	33_2_00007FFAAB56CE09
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB56C47F	33_2_00007FFAAB56C47F
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB5612FB	33_2_00007FFAAB5612FB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB5640F8	33_2_00007FFAAB5640F8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB561835	33_2_00007FFAAB561835
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB569702	33_2_00007FFAAB569702
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB5866B0	33_2_00007FFAAB5866B0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB575B31	33_2_00007FFAAB575B31
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB580098	33_2_00007FFAAB580098
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB57D350	33_2_00007FFAAB57D350
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB560730	33_2_00007FFAAB560730
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Code function: 39_2_00007FFAAB588476	39_2_00007FFAAB588476
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Code function: 39_2_00007FFAAB5852FA	39_2_00007FFAAB5852FA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Code function: 39_2_00007FFAAB58C865	39_2_00007FFAAB58C865
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Code function: 39_2_00007FFAAB586F59	39_2_00007FFAAB586F59
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Code function: 39_2_00007FFAAB5815FD	39_2_00007FFAAB5815FD
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Code function: 39_2_00007FFAAB5715FA	39_2_00007FFAAB5715FA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Code function: 39_2_00007FFAAB58F1D3	39_2_00007FFAAB58F1D3
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Code function: 39_2_00007FFAAB58F0C2	39_2_00007FFAAB58F0C2
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Code function: 39_2_00007FFAAB58F0D3	39_2_00007FFAAB58F0D3
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Code function: 39_2_00007FFAAB570838	39_2_00007FFAAB570838
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029F20E0	42_2_00007FFB029F20E0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02A001E0	42_2_00007FFB02A001E0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029F6960	42_2_00007FFB029F6960
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0294B880	42_2_00007FFB0294B880
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028E0330	42_2_00007FFB028E0330
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029622B0	42_2_00007FFB029622B0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02988310	42_2_00007FFB02988310
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028E2310	42_2_00007FFB028E2310
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0296A2F0	42_2_00007FFB0296A2F0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0295A0C0	42_2_00007FFB0295A0C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029640A0	42_2_00007FFB029640A0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0294C110	42_2_00007FFB0294C110
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02932240	42_2_00007FFB02932240
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0297C220	42_2_00007FFB0297C220
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028D2738	42_2_00007FFB028D2738
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028DE720	42_2_00007FFB028DE720
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028D8860	42_2_00007FFB028D8860
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02986860	42_2_00007FFB02986860
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0295A7E0	42_2_00007FFB0295A7E0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028CE80C	42_2_00007FFB028CE80C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028CA524	42_2_00007FFB028CA524
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02944550	42_2_00007FFB02944550
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0297E590	42_2_00007FFB0297E590
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029A6590	42_2_00007FFB029A6590
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029264A0	42_2_00007FFB029264A0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02910510	42_2_00007FFB02910510
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028D44DC	42_2_00007FFB028D44DC
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029FC680	42_2_00007FFB029FC680
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0297A5D0	42_2_00007FFB0297A5D0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029E05D0	42_2_00007FFB029E05D0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028C85D4	42_2_00007FFB028C85D4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029FE5B0	42_2_00007FFB029FE5B0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02940600	42_2_00007FFB02940600
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0293CB50	42_2_00007FFB0293CB50
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02918B90	42_2_00007FFB02918B90
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029AAB00	42_2_00007FFB029AAB00
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029F4C80	42_2_00007FFB029F4C80
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0296CC00	42_2_00007FFB0296CC00
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0291E990	42_2_00007FFB0291E990
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029188A0	42_2_00007FFB029188A0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028C28C0	42_2_00007FFB028C28C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029B6910	42_2_00007FFB029B6910
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028C8A3C	42_2_00007FFB028C8A3C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02908A60	42_2_00007FFB02908A60
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028E6A80	42_2_00007FFB028E6A80
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0298AA70	42_2_00007FFB0298AA70
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028D2F8C	42_2_00007FFB028D2F8C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028CCEA8	42_2_00007FFB028CCEA8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02909020	42_2_00007FFB02909020
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0295EFD0	42_2_00007FFB0295EFD0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0290AFB0	42_2_00007FFB0290AFB0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02A10D30	42_2_00007FFB02A10D30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02946D20	42_2_00007FFB02946D20
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02988D20	42_2_00007FFB02988D20
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029FCD60	42_2_00007FFB029FCD60
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0290ACD0	42_2_00007FFB0290ACD0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028D6CC0	42_2_00007FFB028D6CC0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02934D00	42_2_00007FFB02934D00
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02920E30	42_2_00007FFB02920E30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028ECE70	42_2_00007FFB028ECE70
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028C4DB4	42_2_00007FFB028C4DB4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0295D350	42_2_00007FFB0295D350
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028CF340	42_2_00007FFB028CF340
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0295B370	42_2_00007FFB0295B370
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028C3474	42_2_00007FFB028C3474
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028E93D0	42_2_00007FFB028E93D0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0299F3E0	42_2_00007FFB0299F3E0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02959170	42_2_00007FFB02959170
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029F50F0	42_2_00007FFB029F50F0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0293F220	42_2_00007FFB0293F220
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028CD284	42_2_00007FFB028CD284
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028C11B0	42_2_00007FFB028C11B0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0292F1B0	42_2_00007FFB0292F1B0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029D3200	42_2_00007FFB029D3200
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02967720	42_2_00007FFB02967720
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0291F780	42_2_00007FFB0291F780
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02A0F790	42_2_00007FFB02A0F790
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0290D770	42_2_00007FFB0290D770
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029B56D0	42_2_00007FFB029B56D0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029336E0	42_2_00007FFB029336E0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028DD830	42_2_00007FFB028DD830
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02A11840	42_2_00007FFB02A11840
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028C955C	42_2_00007FFB028C955C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028C74B0	42_2_00007FFB028C74B0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028CD634	42_2_00007FFB028CD634
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0292B647	42_2_00007FFB0292B647
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0290F630	42_2_00007FFB0290F630
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028D5640	42_2_00007FFB028D5640
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02961690	42_2_00007FFB02961690
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02927B30	42_2_00007FFB02927B30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029ADB80	42_2_00007FFB029ADB80
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028F5AD0	42_2_00007FFB028F5AD0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02963AF0	42_2_00007FFB02963AF0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02A03C20	42_2_00007FFB02A03C20
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02909BA0	42_2_00007FFB02909BA0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028EBBE0	42_2_00007FFB028EBBE0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029218DA	42_2_00007FFB029218DA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028ED910	42_2_00007FFB028ED910
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028F9A60	42_2_00007FFB028F9A60
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02977A60	42_2_00007FFB02977A60
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0292B9F0	42_2_00007FFB0292B9F0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028D7F30	42_2_00007FFB028D7F30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028F9F30	42_2_00007FFB028F9F30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02955F20	42_2_00007FFB02955F20
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0295FED0	42_2_00007FFB0295FED0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02967EA0	42_2_00007FFB02967EA0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02975EA0	42_2_00007FFB02975EA0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02943EB0	42_2_00007FFB02943EB0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028C7EC0	42_2_00007FFB028C7EC0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0291FEF0	42_2_00007FFB0291FEF0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02997D20	42_2_00007FFB02997D20
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB0299DCC0	42_2_00007FFB0299DCC0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB029ABCD0	42_2_00007FFB029ABCD0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02909CF0	42_2_00007FFB02909CF0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028D5E50	42_2_00007FFB028D5E50
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB02907E70	42_2_00007FFB02907E70
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFB028F3E10	42_2_00007FFB028F3E10
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFAAB58ED6D	42_2_00007FFAAB58ED6D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFAAB585D0F	42_2_00007FFAAB585D0F
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFAAB58BD61	42_2_00007FFAAB58BD61
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFAAB58D28C	42_2_00007FFAAB58D28C
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFAAB7A2BCF	42_2_00007FFAAB7A2BCF
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFAAB7AADD8	42_2_00007FFAAB7AADD8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFAAB7A2558	42_2_00007FFAAB7A2558
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFAAB7A24E8	42_2_00007FFAAB7A24E8
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFAAB8B3C71	42_2_00007FFAAB8B3C71
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFAAB8B12CF	42_2_00007FFAAB8B12CF
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFAAB8B4D17	42_2_00007FFAAB8B4D17
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFAAB8B12FB	42_2_00007FFAAB8B12FB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: 42_2_00007FFAAB8B0D15	42_2_00007FFAAB8B0D15

Found potential string decryption / allocating functions

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: String function: 00007FFB02A11B70 appears 102 times
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: String function: 00007FFB02A11D30 appears 114 times
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Code function: String function: 00007FFB02A106B0 appears 145 times

PE file does not import any functions

Source: System.Net.Sockets.dll.6.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.6.dr	Static PE information: No import functions for PE file found
Source: System.Net.WebSockets.dll.6.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.6.dr	Static PE information: No import functions for PE file found
Source: System.Reflection.DispatchProxy.dll.6.dr	Static PE information: No import functions for PE file found
Source: mscorrc.dll.6.dr	Static PE information: No import functions for PE file found
Source: System.Net.Http.dll.6.dr	Static PE information: No import functions for PE file found
Source: System.Runtime.Numerics.dll.6.dr	Static PE information: No import functions for PE file found
Source: System.Net.WebSockets.Client.dll.6.dr	Static PE information: No import functions for PE file found
Source: System.IO.Pipes.dll.6.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.6.dr	Static PE information: No import functions for PE file found
Source: System.Net.Primitives.dll.6.dr	Static PE information: No import functions for PE file found

Sample file is different than original file name gathered from version info

Source: ALVARA-072.msi	Binary or memory string: OriginalFilenameAlphaControlAgentInstallation.dll\ vs ALVARA-072.msi
Source: ALVARA-072.msi	Binary or memory string: OriginalFilenameSfxCA.dll\ vs ALVARA-072.msi
Source: ALVARA-072.msi	Binary or memory string: OriginalFilenamewixca.dll\ vs ALVARA-072.msi

Source: System.IO.Pipes.dll.6.dr, PipeStream.cs

Task registration methods: 'RegisterForCancellation'

Source: System.IO.Pipes.dll.6.dr, NamedPipeServerStream.cs	Security API names: System.IO.Pipes.PipeSecurity.AddAccessRule(System.IO.Pipes.PipeAccessRule)
Source: System.IO.Pipes.dll.6.dr, NamedPipeServerStream.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: System.IO.Pipes.dll.6.dr, PipeSecurity.cs	Security API names: System.IO.Pipes.PipeSecurity.GetAccessControlSectionsFromChanges()
Source: System.IO.Pipes.dll.6.dr, PipeSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.GetAccessRules(bool, bool, System.Type)
Source: System.IO.Pipes.dll.6.dr, PipeSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)
Source: System.IO.Pipes.dll.6.dr, NamedPipeClientStream.cs	Security API names: System.IO.Pipes.PipeStream.GetAccessControl()
Source: System.IO.Pipes.dll.6.dr, NamedPipeClientStream.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()

Source: classification engine

Classification label: mal100.troj.spyw.evad.winMSI@176/1006@0/11

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\ATERA Networks

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1196:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6844:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3564:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5396:120:WilError_03
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Mutant created: NULL
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:3256:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:5844:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3812:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7048:120:WilError_03
Source: C:\Windows\System32\SIHClient.exe	Mutant created: {376155FF-95A0-46CA-8F57-ACB09EA70153}
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7052:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6352:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:6200:120:WilError_03
Source: C:\Windows\Temp\SplashtopStreamer.exe	Mutant created: \BaseNamedObjects\Global\{47B9233E-7E50-46F2-B442-6A53F0D0F508}
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF6F58E4A8AF7C3683.TMP

Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus

Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AteraAgent.exe")
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

File read: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\SIHClient.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: C:\Windows\SysWOW64\msiexec.exe

Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe.22.dr	Binary or memory string: SELECT Identifier, Severity, Timestamp FROM ThresholdDuration WHERE Identifier = @id;kDELETE FROM ThresholdDuration WHERE Identifier = @id;
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);@X9
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);@X9
Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe.22.dr	Binary or memory string: INSERT INTO ThresholdDuration (Identifier,Severity,Timestamp) Values (@identifier, @severity, @timestamp) ON CONFLICT (Identifier) DO UPDATE SET Severity = excluded.Severity, Timestamp = excluded.Timestamp;
Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe.22.dr	Binary or memory string: INSERT INTO [AlertsSent] (Timestamp, Alerts) VALUES (@timestamp, @alerts);kExecuteScriptAsync SystemTools Start scriptGuid : {0}Wrunscriptguid {0} 10 W10= disableSendResult
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195805B3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;@X9
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_Timestamp ON AlertedEvents_V2 (Timestamp); CREATE INDEX IF NOT EXISTS idx_AlertedEvents_V2_LogName ON AlertedEvents_V2 (LogName);
Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe.22.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS StatisticsSendTime (Id INTEGER PRIMARY KEY,Timestamp BIGINT NOT NULL);
Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe.22.dr	Binary or memory string: INSERT INTO Statistics(Name, Timestamp, Value) Values (@name, @timestamp, @value);%StatisticsSendTime
Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 0000002A.00000002.1866616915.00007FFB02A1A000.00000002.00000001.01000000.0000001E.sdmp, SQLite.Interop.dll.22.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe.22.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);
Source: MSI58CE.tmp.6.dr	Binary or memory string: SELECT Feature_ FROM ISSetupTypeFeatures WHERE ISSetupType_ = '%s'SetupType.cppsysnativesyswow64SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs[Win32]SharedFiles.cpp;Page UpPage DownEndHomeLeftUpRightDownInsertNum *Num /Num +Num -
Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe.22.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS Stub (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL);
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1840909645.0000019598B65000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL);
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1866616915.00007FFB02A1A000.00000002.00000001.01000000.0000001E.sdmp, SQLite.Interop.dll.22.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL); CREATE UNIQUE INDEX IF NOT EXISTS idx_ThresholdDuration_Identifier ON ThresholdDuration (Identifier);@X9
Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 0000002A.00000002.1866616915.00007FFB02A1A000.00000002.00000001.01000000.0000001E.sdmp, SQLite.Interop.dll.22.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 0000002A.00000002.1866616915.00007FFB02A1A000.00000002.00000001.01000000.0000001E.sdmp, SQLite.Interop.dll.22.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe.22.dr	Binary or memory string: SELECT Timestamp FROM StatisticsSendTime ORDER BY Timestamp DESC LIMIT 1;
Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe.22.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);sSELECT MAX([Timestamp]) AS [TimeStamp] FROM [AlertsSent];
Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 0000002A.00000002.1866616915.00007FFB02A1A000.00000002.00000001.01000000.0000001E.sdmp, SQLite.Interop.dll.22.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe.22.dr	Binary or memory string: SELECT [Id], [Alerts], [Timestamp] FROM [AlertsSent] ORDER BY [Timestamp] DESC LIMIT 1;
Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe.22.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);/DELETE FROM Statistics;eSELECT Id, Name, Timestamp, Value FROM Statistics;
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS [AlertsSent] (Id INTEGER NOT NULL PRIMARY KEY, Timestamp BIGINT NOT NULL, Alerts TEXT NOT NULL);
Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe.22.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS ThresholdsProfiles (Id INTEGER NOT NULL PRIMARY KEY,IsActive BOOLEAN NOT NULL,Timestamp BIGINT NOT NULL,Name TEXT NOT NULL,Thresholds TEXT NOT NULL); CREATE INDEX IF NOT EXISTS idx_ThresholdsProfiles_Timestamp ON ThresholdsProfiles (Timestamp);
Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 0000002A.00000002.1866616915.00007FFB02A1A000.00000002.00000001.01000000.0000001E.sdmp, SQLite.Interop.dll.22.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS Statistics (Id INTEGER PRIMARY KEY,Name TEXT NOT NULL,Timestamp BIGINT NOT NULL,Value TEXT NOT NULL);@X9
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS ThresholdDuration (Id INTEGER PRIMARY KEY,Identifier TEXT NOT NULL,Severity TEXT NOT NULL,Timestamp BIGINT NOT NULL);
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS AlertedEvents_V2 (Id INTEGER PRIMARY KEY, Timestamp BIGINT NOT NULL, LogName TEXT NOT NULL, Severity INTEGER NOT NULL, RecordId BIGINT NOT NULL, EventId BIGINT NOT NULL, Source TEXT NOT NULL, Message TEXT NULL);
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195805B3000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: INSERT INTO ThresholdsProfiles (IsActive,Timestamp,Name,Thresholds) Values (@isActive,@timestamp,@name,@thresholds); DELETE FROM ThresholdsProfiles WHERE Timestamp < @timeToDelete;
Source: AgentPackageMonitoring.exe, AgentPackageMonitoring.exe, 0000002A.00000002.1866616915.00007FFB02A1A000.00000002.00000001.01000000.0000001E.sdmp, SQLite.Interop.dll.22.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe.22.dr	Binary or memory string: select Name from Win32_PerfFormattedData_Tcpip_NetworkInterface!DataStatsEnabled9InboundBandwidthStatsEnabled;OutboundBandwidthStatsEnabled
Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe.22.dr	Binary or memory string: SELECT Id, IsActive, Timestamp, Name, Thresholds FROM ThresholdsProfiles ORDER BY Timestamp DESC LIMIT 1;

Source: ALVARA-072.msi

Static file information: TRID: Microsoft Windows Installer (60509/1) 57.88%

Source: ALVARA-072.msi

ReversingLabs: Detection: 23%

Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown	Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k UnistackSvcGroup
Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\ALVARA-072.msi"
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s wscsvc
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k wsappx -p -s ClipSVC
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 513D6BCE314FC68D2D3F719BFBE54FA6
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIEF9A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6811656 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIF846.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6813796 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\system32\svchost.exe -k LocalService -s W32Time
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIC3D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6818906 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B63C9CB250CD768B2152D73DCFF27664 E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="contato@agiagro.com.br" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000MmQV4IAN" /AgentId="69d31729-b40a-4033-aac0-eb6fc5db2da4"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\System32\SIHClient.exe C:\Windows\System32\sihclient.exe /cv w6xFVE/+pk2zJopmEyg10g.0.2
Source: unknown	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI30E1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6828281 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "d17e2baf-c6e6-4c76-82cc-8f8fe3405907" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "8fcb6d3c-d337-43d4-afb7-ac811e04c487" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "f0d01c4a-6356-4ebf-9772-e6821cee1b63" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: unknown	Process created: C:\Windows\System32\sppsvc.exe C:\Windows\system32\sppsvc.exe
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "6c2f305d-73a5-47a5-9074-00ebd014d59f" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIn0=" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "946a9a47-9b54-413f-b7db-d3937ecf2585" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k smphost
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Process created: C:\Windows\Temp\SplashtopStreamer.exe "C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1
Source: C:\Windows\Temp\SplashtopStreamer.exe	Process created: C:\Windows\Temp\unpack\PreVerCheck.exe "C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=1
Source: C:\Windows\Temp\unpack\PreVerCheck.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 051E653050A3B01096F077B541F1D052 E Global\MSI0000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "6b80f9c0-5b9a-4e7b-bfc9-0932c0402886" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 513D6BCE314FC68D2D3F719BFBE54FA6	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding B63C9CB250CD768B2152D73DCFF27664 E Global\MSI0000	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="contato@agiagro.com.br" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000MmQV4IAN" /AgentId="69d31729-b40a-4033-aac0-eb6fc5db2da4"	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 051E653050A3B01096F077B541F1D052 E Global\MSI0000	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process created: C:\Program Files\Windows Defender\MpCmdRun.exe "C:\Program Files\Windows Defender\mpcmdrun.exe" -wdenable	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIEF9A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6811656 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIF846.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6813796 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIC3D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6818906 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI30E1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_6828281 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "d17e2baf-c6e6-4c76-82cc-8f8fe3405907" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "8fcb6d3c-d337-43d4-afb7-ac811e04c487" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "f0d01c4a-6356-4ebf-9772-e6821cee1b63" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "6c2f305d-73a5-47a5-9074-00ebd014d59f" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIn0=" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "946a9a47-9b54-413f-b7db-d3937ecf2585" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "6b80f9c0-5b9a-4e7b-bfc9-0932c0402886" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Process created: C:\Windows\Temp\SplashtopStreamer.exe "C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1
Source: C:\Windows\Temp\SplashtopStreamer.exe	Process created: C:\Windows\Temp\unpack\PreVerCheck.exe "C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=1
Source: C:\Windows\Temp\unpack\PreVerCheck.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: moshost.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapsbtsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mosstorage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ztrace_maps.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mapconfiguration.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostservice.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: networkhelper.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdataplatformhelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccspal.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: syncutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcfgutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmcmnutils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dmxmlhelputils.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: inproclogger.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: flightsettings.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.networking.connectivity.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: npmproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: msv1_0.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntlmshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cryptdll.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: synccontroller.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: pimstore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: aphostclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: accountaccessor.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: dsclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: systemeventsbrokerclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatalanguageutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: mccsengineshared.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cemapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userdatatypehelperutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: phoneutil.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: execmodelproxy.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storsvc.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: fltlib.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: bcd.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wer.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: appxdeploymentclient.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: storageusage.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: w32time.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: logoncli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: mswsock.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dsrole.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: sspicli.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: vmictimeprovider.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: rasadhlp.dll
Source: C:\Windows\System32\svchost.exe	Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: uxtheme.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: riched20.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: usp10.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msls31.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptnet.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: webio.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptnet.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: webio.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cabinet.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptnet.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wscapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wtsapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winsta.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: devobj.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: napinsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: pnrpnsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wshbth.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: nlaapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winrnr.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: version.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: sxs.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: amsi.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: userenv.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: profapi.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: wldp.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: msisip.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: wshext.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: gpapi.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: cryptnet.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: winnsi.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: mpr.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: scrrun.dll
Source: C:\Windows\System32\cscript.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Section loaded: rtutils.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Source: C:\Windows\System32\msiexec.exe

File written: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdsmpl.ini

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

File opened: C:\Windows\SysWOW64\RICHED32.DLL

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Http.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Numerics.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Serialization.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.Primitives.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Configuration.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Intrinsics.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\msquic.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.Client.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Primitives.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-interlocked-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Sockets.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceModel.Web.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceProcess.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encodings.Web.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\WindowsBase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-debug-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.AccessControl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.DriveInfo.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-localization-l1-2-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Channels.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebProxy.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Expressions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.MemoryMappedFiles.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Primitives.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.AccessControl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-stdio-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.TypeConverter.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Numerics.Vectors.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.ILGeneration.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Primitives.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ObjectModel.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Xml.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\dbgshim.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l2-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.HttpListener.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Formats.Asn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Cng.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-timezone-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Json.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XDocument.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.Lightweight.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscorlib.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebClient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.Linq.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-string-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XPath.XDocument.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordbi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l1-2-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.InteropServices.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Immutable.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Extensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.NetworkInformation.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.UnmanagedMemoryStream.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.TraceSource.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-environment-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-2-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-heap-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.IsolatedStorage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-util-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-runtime-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Mail.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Ping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Claims.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Console.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\createdump.exe	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.DataAnnotations.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.ZipFile.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Process.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.HttpUtility.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-memory-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.Win32.Primitives.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.DiagnosticSource.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebHeaderCollection.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Dynamic.Runtime.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Requests.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-conio-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Extensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.Extensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.VisualBasic.Core.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\hostpolicy.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Formatters.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Transactions.Local.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\.version	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Drawing.Primitives.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clrjit.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.ReaderWriter.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Dataflow.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Annotations.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clretwrc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Parallel.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Memory.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-math-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.DiaSymReader.Native.amd64.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.NonGeneric.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.Extensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Tools.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.TypeExtensions.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-time-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Linq.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-2-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.DataContractSerialization.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Handles.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.Reader.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.Native.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ValueTuple.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.NETCore.App.runtimeconfig.json	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Metadata.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-datetime-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Data.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.CSharp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.ResourceManager.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XmlSerializer.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.NETCore.App.deps.json	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Primitives.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Csp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-private-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.OpenSsl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore_amd64_amd64_6.0.3524.45918.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Json.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.AccessControl.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Quic.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.StackTrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.Windows.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\ucrtbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Encoding.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Queryable.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Windows.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Overlapped.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.CodePages.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscorrc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Directory created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.DispatchProxy.dll	Jump to behavior

Source: ALVARA-072.msi

Static file information: File size 2994176 > 1048576

Source:	Binary string: C:\CodeBases\isdev\Redist\Language Independent\i386\ISSetup.pdb source: MSI58CE.tmp.6.dr
Source:	Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdbSHA256 source: AgentPackageMonitoring.exe, 0000002A.00000002.1846265525.00000195FFCE2000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 00000014.00000000.1383292218.0000021EC66A2000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 0000001A.00000002.1656716822.000001E308252000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: c:\winddk\7600.16385.1\src\setup\difxapi\difxcmd\objfre_win7_amd64\amd64\DIFxCmd.pdb source: DIFxCmd64.exe0.6.dr
Source:	Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdbp+ source: AgentPackageMonitoring.exe, 0000002A.00000002.1853799028.00000195FFDA2000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: d:\svn\sr01\tim\dev\win32\stvideo\mirror\objfre_win7_x86\i386\stmirror.pdbx source: stmirror.dll.6.dr
Source:	Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdb source: AgentPackageMonitoring.exe, 0000002A.00000002.1854313005.00000195FFE12000.00000002.00000001.01000000.00000025.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.InteropServices\4.1.2.0\System.Runtime.InteropServices.pdb source: System.Runtime.InteropServices.dll.30.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Runtime.InteropServices\4.1.2.0\System.Runtime.InteropServices.pdbH5b5 T5_CorDllMainmscoree.dll source: System.Runtime.InteropServices.dll.30.dr
Source:	Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdb source: AgentPackageMonitoring.exe, 0000002A.00000002.1843534702.00000195FF392000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.ReaderWriter\4.1.1.0\System.Xml.ReaderWriter.pdb source: System.Xml.ReaderWriter.dll.30.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net6.0\System.Diagnostics.DiagnosticSource.pdb source: System.Diagnostics.DiagnosticSource.dll4.30.dr
Source:	Binary string: c:\winddk\7600.16385.1\src\setup\difxapi\difxcmd\objfre_win7_amd64\amd64\DIFxCmd.pdbH source: DIFxCmd64.exe0.6.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 0000000A.00000003.1297756832.0000000004CDE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000444C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdb source: api-ms-win-core-util-l1-1-0.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdb source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: E:\A\_work\21\obj\Microsoft.ApplicationInsights\Release\src\Microsoft.ApplicationInsights\net45\Microsoft.ApplicationInsights.pdb source: Microsoft.ApplicationInsights.dll3.30.dr
Source:	Binary string: D:\A\_work\39\s\bin\obj\Windows_NT.AnyCPU.Release\System.Runtime.InteropServices.RuntimeInformation\net45\System.Runtime.InteropServices.RuntimeInformation.pdb source: System.Runtime.InteropServices.RuntimeInformation.dll.22.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Extensions\net6.0-Release\System.Reflection.Extensions.pdb source: System.Reflection.Extensions.dll.6.dr
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 00000014.00000000.1383292218.0000021EC66A2000.00000002.00000001.01000000.00000010.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Runtime.Handles\net6.0-Release\System.Runtime.Handles.pdb source: System.Runtime.Handles.dll.6.dr
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdb source: api-ms-win-core-console-l1-1-0.dll.6.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Requests\4.0.11.0\System.Net.Requests.pdbX)r) d)_CorDllMainmscoree.dll source: System.Net.Requests.dll.30.dr
Source:	Binary string: api-ms-win-core-util-l1-1-0.pdbGCTL source: api-ms-win-core-util-l1-1-0.dll.6.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 00000016.00000002.2018950710.000001BCA8AB2000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 00000016.00000002.2018950710.000001BCA8AB2000.00000002.00000001.01000000.0000002A.sdmp
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1855704329.00000195FFEF2000.00000002.00000001.01000000.00000026.sdmp, Newtonsoft.Json.dll.11.dr
Source:	Binary string: C:\code\dapper-dot-net\Dapper\bin\Release\net45\Dapper.pdb source: AgentPackageMonitoring.exe, 0000002A.00000002.1849997542.00000195FFD62000.00000002.00000001.01000000.00000023.sdmp
Source:	Binary string: System.Private.Xml.ni.pdb source: System.Private.Xml.dll.6.dr
Source:	Binary string: C:\projects\nlog\src\NLog\obj\Release\net45\NLog.pdbSHA256d source: AgentPackageMonitoring.exe, 0000002A.00000002.1854313005.00000195FFE12000.00000002.00000001.01000000.00000025.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 0000001A.00000000.1623145179.000001E307E92000.00000002.00000001.01000000.00000018.sdmp
Source:	Binary string: C:\projects\polly\src\Polly\obj\Release\netstandard1.1\Polly.pdb source: AgentPackageMonitoring.exe, 0000002A.00000002.1846265525.00000195FFCE2000.00000002.00000001.01000000.00000022.sdmp
Source:	Binary string: d:\slave\workspace\GIT_WIN_SRS_Formal\Source\irisserver\Release\SRUnPackFile.pdb source: SplashtopStreamer.exe, 0000002F.00000000.1908546863.000000000042E000.00000002.00000001.01000000.00000027.sdmp, SplashtopStreamer.exe, 0000002F.00000002.2290517618.000000000042E000.00000002.00000001.01000000.00000027.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 0000000A.00000003.1297756832.0000000004CDE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000444C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.EnvironmentVariables/Release/net6.0/Microsoft.Extensions.Configuration.EnvironmentVariables.pdbSHA256 source: Microsoft.Extensions.Configuration.EnvironmentVariables.dll.30.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XDocument\net6.0-Release\System.Xml.XDocument.pdbt+ source: System.Xml.XDocument.dll.6.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1658228362.000001E320FA2000.00000002.00000001.01000000.0000001B.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2372308158.0000026AE0B70000.00000002.00000001.01000000.0000002C.sdmp
Source:	Binary string: d:\slave\workspace\GIT_WIN_SRS_Formal\Source\irisserver\Release\PreVerCheck.pdb source: PreVerCheck.exe, 00000030.00000000.1951833191.0000000000B83000.00000002.00000001.01000000.00000028.sdmp, PreVerCheck.exe, 00000030.00000002.2274094246.0000000000B83000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Xml.XmlDocument\4.0.3.0\System.Xml.XmlDocument.pdb source: System.Xml.XmlDocument.dll.30.dr
Source:	Binary string: /_/artifacts/obj/Microsoft.Extensions.Configuration.EnvironmentVariables/Release/net6.0/Microsoft.Extensions.Configuration.EnvironmentVariables.pdb source: Microsoft.Extensions.Configuration.EnvironmentVariables.dll.30.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 0000000A.00000003.1297756832.0000000004D0F000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048FB000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FD9000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000447D000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 0000001A.00000002.1658228362.000001E320FA2000.00000002.00000001.01000000.0000001B.sdmp, AteraAgent.exe, 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2372308158.0000026AE0B70000.00000002.00000001.01000000.0000002C.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1855704329.00000195FFEF2000.00000002.00000001.01000000.00000026.sdmp, Newtonsoft.Json.dll.11.dr
Source:	Binary string: d:\svn\sr01\tim\dev\win32\stvideo\mirror\objfre_win7_x86\i386\stmirror.pdb source: stmirror.dll.6.dr
Source:	Binary string: t.pdbpdb source: AteraAgent.exe, 00000016.00000002.2010230473.000001BCA833C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AgentPackageMonitoring\AgentPackageMonitoring\obj\Release\AgentPackageMonitoring.pdb source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe.22.dr
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: ALVARA-072.msi
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Globalization.Extensions\net6.0-Release\System.Globalization.Extensions.pdb source: System.Globalization.Extensions.dll.6.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 0000000A.00000003.1297756832.0000000004CDE000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000B.00000003.1303253528.00000000048CA000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 0000000D.00000003.1365685073.0000000003FA8000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1449338023.000000000444C000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\projects\structuremap\src\StructureMap\obj\Release\net45\StructureMap.pdbSHA256`{f source: AgentPackageMonitoring.exe, 0000002A.00000002.1843534702.00000195FF392000.00000002.00000001.01000000.00000020.sdmp
Source:	Binary string: E:\A\_work\1795\s\corefx\bin/obj/Windows_NT.AnyCPU.Release/System.Security.Cryptography.Algorithms/netfx\System.Security.Cryptography.Algorithms.pdb source: System.Security.Cryptography.Algorithms.dll.30.dr
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 0000001A.00000002.1656716822.000001E308252000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: W.pdb$Gs0 source: PreVerCheck.exe, 00000030.00000002.2274351905.0000000000B95000.00000002.00000001.01000000.00000028.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Xml.XDocument\net6.0-Release\System.Xml.XDocument.pdb source: System.Xml.XDocument.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\apphost\standalone\apphost.pdbcccGCTL source: AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECF85000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: api-ms-win-core-console-l1-1-0.pdbGCTL source: api-ms-win-core-console-l1-1-0.dll.6.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Net.Requests\4.0.11.0\System.Net.Requests.pdb source: System.Net.Requests.dll.30.dr
Source:	Binary string: E:\A\_work\582\s\bin\obj\ref\System.Security.Principal\4.0.1.0\System.Security.Principal.pdb source: System.Security.Principal.dll.30.dr
Source:	Binary string: C:\dev\sqlite\dotnet-private\bin\2012\x64\ReleaseNativeOnlyStatic\SQLite.Interop.pdb source: AgentPackageMonitoring.exe, 0000002A.00000002.1866616915.00007FFB02A1A000.00000002.00000001.01000000.0000001E.sdmp, SQLite.Interop.dll.22.dr
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 00000014.00000002.1439315934.0000021EE0D02000.00000002.00000001.01000000.00000012.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Diagnostics.DiagnosticSource\Release\net6.0\System.Diagnostics.DiagnosticSource.pdbSHA256 source: System.Diagnostics.DiagnosticSource.dll4.30.dr
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 00000014.00000002.1439315934.0000021EE0D02000.00000002.00000001.01000000.00000012.sdmp, AteraAgent.exe, 0000001E.00000002.2564491155.00000262ECE90000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\dev\sqlite\dotnet-private\obj\2012\System.Data.SQLite.2012\Release\System.Data.SQLite.pdb source: AgentPackageMonitoring.exe, 0000002A.00000002.1853799028.00000195FFDA2000.00000002.00000001.01000000.00000024.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: ALVARA-072.msi
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Private.Xml\net6.0-windows-Release\System.Private.Xml.pdb source: System.Private.Xml.dll.6.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\System.Reflection.Extensions\net6.0-Release\System.Reflection.Extensions.pdbD)^) P)_CorDllMainmscoree.dll source: System.Reflection.Extensions.dll.6.dr

Binary contains a suspicious time stamp

Source: System.Reflection.DispatchProxy.dll.6.dr

Static PE information: 0xD237EF3C [Sun Oct 5 09:11:24 2081 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

42_2_00007FFB028D1910

PE file contains sections with non-standard names

Source: msquic.dll.6.dr	Static PE information: section name: _RDATA
Source: SRWacomCtrl64.dll.6.dr	Static PE information: section name: _RDATA

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_3_06EF84A1 push es; ret	11_3_06EF84B0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_3_06EF995D push 0000005Dh; ret	11_3_06EF996E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 22_2_00007FFAAB5A0AFB pushad ; ret	22_2_00007FFAAB5A0B01
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 22_2_00007FFAAB59CA38 push FFFFFFE8h; ret	22_2_00007FFAAB59CCF9
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 22_2_00007FFAAB796184 push eax; ret	22_2_00007FFAAB7961B4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_3_046189BF push dword ptr [esp+ecx*2-75h]; ret	25_3_046189C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_3_046F1350 push 08428B04h; ret	25_3_046F1663
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 25_3_046F1651 push 08428B04h; ret	25_3_046F1663
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 26_2_00007FFAAB5700BD pushad ; iretd	26_2_00007FFAAB5700C1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 28_2_00007FFAAB5800BD pushad ; iretd	28_2_00007FFAAB5800C1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB59CC98 push FFFFFFE8h; retf	30_2_00007FFAAB59CEF1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB59CC8D push FFFFFFE8h; retf	30_2_00007FFAAB59CEF1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB59CC90 push FFFFFFE8h; retf	30_2_00007FFAAB59CEF1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB59CC5D push FFFFFFE8h; retf	30_2_00007FFAAB59CEF1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB59CC60 push FFFFFFE8h; retf	30_2_00007FFAAB59CEF1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB5A2DFA push FFFFFFE8h; retf	30_2_00007FFAAB5A2EF1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB5A25F2 push eax; iretd	30_2_00007FFAAB5A2631
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB59A64C push eax; retf	30_2_00007FFAAB59A661
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB59A650 push eax; retf	30_2_00007FFAAB59A661
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7A8C5C push esp; ret	30_2_00007FFAAB7A8C73
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7A8BF8 push eax; ret	30_2_00007FFAAB7A8C13
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7A4814 pushad ; ret	30_2_00007FFAAB7A4823
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7A0F64 push eax; ret	30_2_00007FFAAB7A0F94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 30_2_00007FFAAB7A0F9C push eax; ret	30_2_00007FFAAB7A0F94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB57D2C5 pushad ; iretd	33_2_00007FFAAB58AA45
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB57792B push ebx; retf	33_2_00007FFAAB57796A
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB57FEFA push FFFFFFE8h; retf	33_2_00007FFAAB57FFF1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB57FFB8 push FFFFFFE8h; retf	33_2_00007FFAAB57FFF1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB562D95 push eax; ret	33_2_00007FFAAB562E1D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB5600BD pushad ; iretd	33_2_00007FFAAB5600C1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 33_2_00007FFAAB578163 push ebx; ret	33_2_00007FFAAB57816A

Source: System.Runtime.Numerics.dll.6.dr

Static PE information: section name: .text entropy: 6.855780398702841

Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1
Source: initial sample	Static PE information: section name: UPX0
Source: initial sample	Static PE information: section name: UPX1

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BA74182F76F15A9CF514DEF352303C95
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BA74182F76F15A9CF514DEF352303C95
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1A374813EDB1A6631387E414D3E73232
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1A374813EDB1A6631387E414D3E73232
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log

Sample is not signed and drops a device driver

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\64bits\stgamepad.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxywddm.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxywddm.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxywddm.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxywddm.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\64bits\stdpms.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\32bits\stvad.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\64bits\stvad.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\32bits\stvad.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\64bits\stvad.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\32bits\stvspk.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\64bits\stvspk.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\hidkmdf.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\hidkmdf.sys	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\sthid.sys	Jump to behavior

Drops PE files

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon64.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.HttpListener.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PkgHelper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIEF9A.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppAnnotation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.NetworkInformation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Encoding.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Primitives.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC3D.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI30E1.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdbook.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Queryable.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.OpenSsl.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.CSharp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\WBAppVidRec.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.CodePages.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x86.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdsmplui.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.Client.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\dbghelp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\my_setup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB549.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI27C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC3D.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdnup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperEx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Dataflow.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiHelper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\avutil-55.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppBrowser.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.TraceSource.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\stprintmon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdscale.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Csp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdscale.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\legacy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdbook.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.ILGeneration.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Formatters.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Numerics.Vectors.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\64bits\stgamepad.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Ping.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\my_setup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomCtrl32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDetect.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdate.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\stprintmon.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC3D.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiCaptor.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.NonGeneric.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\64bits\stvad.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.DataAnnotations.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcelt-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XDocument.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsbVhciCtrl64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUACCheck.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebClient.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdsmplui.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdsmplui.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\hostpolicy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\XDColMan.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Immutable.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSocketCtrl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEF9A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.StackTrace.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI58CE.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\XDColMan.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcrypto-3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\Mirror2Extend.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.TypeExtensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encodings.Web.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Primitives.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\WindowsBase.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC4.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1CEA.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libx264-116.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Handles.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XmlSerializer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Process.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdwmark.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\createdump.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.DriveInfo.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Linq.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.MemoryMappedFiles.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Numerics.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Parallel.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Tools.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6A63.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Console.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Metadata.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.VisualBasic.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIEF9A.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdwmark.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppBS.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI30E1.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF846.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libmp4v2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppED.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI30E1.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebHeaderCollection.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.Win32.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.AccessControl.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC3D.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperExx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxywddm.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\64bits\stvad.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRChat.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.DiaSymReader.Native.amd64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Claims.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\PrnPort.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_iddcx.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdbook.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.ZipFile.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Requests.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.IsolatedStorage.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Channels.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\CredentialManagement.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Transactions.Local.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1567.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Memory.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Formats.Asn1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\qrcodelib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdscale.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsb.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libssl-3.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x64\SRCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Quic.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\XDColMan.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Annotations.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Drawing.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SROpus.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clrjit.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\64bits\stdpms.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264Wrapper.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIF846.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Intrinsics.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Serialization.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI30E1.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\32bits\stvad.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore_amd64_amd64_6.0.3524.45918.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIF846.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\swresample-2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.DispatchProxy.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Dynamic.Runtime.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRApp.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\hidkmdf.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd32.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.Native.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrlEx.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\setupdrv.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clretwrc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\32bits\stvspk.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.Linq.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ObjectModel.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceModel.Web.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd32.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\hidkmdf.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIF846.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK_x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\64bits\stvspk.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\32bits\stvad.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Xml.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdnup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsbVhciCtrl32.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\stprintmon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.AccessControl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC3D.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdsmplui.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdbook.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_iddcx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\XDColMan.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIEF9A.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxyumd32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd32.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppCam.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordbi.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxywddm.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppFileHound.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_iddcx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.UnmanagedMemoryStream.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\stprintmon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebProxy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.DataContractSerialization.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Http.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\StructureMap.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI142.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceProcess.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.ApplicationInsights.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.Reader.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdscale.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAdemWrapper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAudioChat.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\my_setup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Elevator.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\ucrtbase.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\dbgshim.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Globalization.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI146C.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\NvFBC.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\setupdrv.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdnup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PinShortCut.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x64\SRWacomUtil64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcurl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\sthid.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.InteropServices.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxywddm.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscorlib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Resources.ResourceManager.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7215.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdateInstall.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\my_setup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\setupdrv.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Overlapped.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6E8A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeatMini.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.TypeConverter.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.HttpUtility.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomUtil32.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Microsoft.ApplicationInsights.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdwmark.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI30E1.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsb.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1662.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Microsoft.ApplicationInsights.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Primitives.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Data.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\fips.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\setupdrv.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Configuration.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIEF9A.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Expressions.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.Utils.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.AccessControl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.ReaderWriter.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XPath.XDocument.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Specialized.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\choco.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxywddm.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sys	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIF846.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Mail.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAudioResample.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\msquic.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Memory.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x86\SRCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Cng.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\WdfCoInstaller01009.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscorrc.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.Lightweight.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxyumd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\amf-vcedem-win32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Sockets.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x64\SRWacomCtrl64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdnup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdwmark.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_iddcx.dll	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\Temp\unpack\PreVerCheck.exe	File created: C:\Windows\Temp\unpack\SRSocketCtrl.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\{015720C1-18B4-41EA-ABB7-A5C96198F9BE}\_is37B.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIEF9A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI58CE.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIEF9A.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIEF9A.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIF846.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI30E1.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIF846.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIEF9A.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\{20D00C64-332B-4AD0-9BF7-0776E26C7FE1}\_isres_0x0409.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI30E1.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\{0A2173DD-F1DD-4208-9339-AE15EC138492}\ISRT.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC3D.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\{C9A47452-5203-43AE-93A3-1550E296BE1D}\_isres_0x0409.dll	Jump to dropped file
Source: C:\Windows\Temp\SplashtopStreamer.exe	File created: C:\Windows\Temp\unpack\PreVerCheck.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIF846.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC4.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\{015720C1-18B4-41EA-ABB7-A5C96198F9BE}\_isres_0x0409.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI146C.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI30E1.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\{0A2173DD-F1DD-4208-9339-AE15EC138492}\_is54A8.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIEF9A.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC3D.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1CEA.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC3D.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI30E1.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\System32\SRC46CC.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIC3D.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIF846.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\{C9A47452-5203-43AE-93A3-1550E296BE1D}\ISRT.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI7215.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\{20D00C64-332B-4AD0-9BF7-0776E26C7FE1}\ISRT.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6E8A.tmp	Jump to dropped file
Source: C:\Windows\Temp\unpack\PreVerCheck.exe	File created: C:\Windows\Temp\unpack\libcrypto-3.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\{C9A47452-5203-43AE-93A3-1550E296BE1D}\_is85A.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\{0A2173DD-F1DD-4208-9339-AE15EC138492}\_isres_0x0409.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	File created: C:\Windows\Temp\SplashtopStreamer.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIB549.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1567.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI27C.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\{599318EE-7E7F-4BB7-B941-C069894B4FBB}\_isres_0x0409.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIC3D.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\{015720C1-18B4-41EA-ABB7-A5C96198F9BE}\ISRT.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI30E1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI142.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIF846.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6A63.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI1662.tmp	Jump to dropped file
Source: C:\Windows\Temp\unpack\PreVerCheck.exe	File created: C:\Windows\Temp\unpack\libssl-3.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\{20D00C64-332B-4AD0-9BF7-0776E26C7FE1}\_is4302.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\system32\SRCredentialProvider.dll (copy)	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\{599318EE-7E7F-4BB7-B941-C069894B4FBB}\_is58FE.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\Windows\Temp\{599318EE-7E7F-4BB7-B941-C069894B4FBB}\ISRT.dll	Jump to dropped file

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\InstallUtil.InstallLog
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\license.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\license.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\license.txt	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\license.txt	Jump to behavior

Boot Survival

Installs Task Scheduler Managed Wrapper

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dll

Creates or modifies windows services

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Modifies existing windows services

Source: C:\Windows\System32\svchost.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W32Time\Config

Stores files to the Windows start menu directory

Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Splashtop Remote\
Source: C:\Windows\SysWOW64\msiexec.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Splashtop Remote\Splashtop Streamer.lnk

Uses net.exe to stop services

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000

Extensive use of GetProcAddress (often used to hide API calls)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

42_2_00007FFB028CA524

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes

Stores large binary data to the registry

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Key value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\SIHClient.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0"} where resultclass = Win32_DiskPartition
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent="Win32_DiskDrive.DeviceID=\"\\\\\\\\.\\\\PHYSICALDRIVE0\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0"} where resultclass = Win32_DiskPartition
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent="Win32_DiskDrive.DeviceID=\"\\\\\\\\.\\\\PHYSICALDRIVE0\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0"} where resultclass = Win32_DiskPartition
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent="Win32_DiskDrive.DeviceID=\"\\\\\\\\.\\\\PHYSICALDRIVE0\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDrive
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\ROOT\cimv2:Win32_DiskDrive.DeviceID="\\\\.\\PHYSICALDRIVE0"} where resultclass = Win32_DiskPartition
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_DiskDriveToDiskPartition where Antecedent="Win32_DiskDrive.DeviceID=\"\\\\\\\\.\\\\PHYSICALDRIVE0\""

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PhysicalAdapter,Name,PNPDeviceID from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PhysicalAdapter,Name,PNPDeviceID from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter

Queries sensitive service information (via WMI, WIN32_SERVICE, often done to detect sandboxes)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Name,DisplayName,Description,State from Win32_Service

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #0"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #0\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #2"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #2\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #0"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #0\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #2"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #2\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #0"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #0\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #2"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #2\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size,FreeSpace,Name FROM Win32_LogicalDisk where DriveType=3
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #0"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #0\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #1"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #1\""
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : associators of {\\user-PC\root\cimv2:Win32_DiskPartition.DeviceID="Disk #0, Partition #2"} where resultclass = Win32_LogicalDisk
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_LogicalDiskToPartition where Antecedent="Win32_DiskPartition.DeviceID=\"Disk #0, Partition #2\""

Queries sensitive sound device information (via WMI, Win32_SoundDevice, often done to detect virtual machines)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_SoundDevice
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Name from Win32_SoundDevice

Query firmware table information (likely to detect VMs)

Source: C:\Windows\System32\svchost.exe

System information queried: FirmwareTableInformation

Jump to behavior

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 21EC69F0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 21EE0390000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 1BC8F900000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 1BCA79F0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 1E3081F0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 1E320720000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 25D44380000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 25D5C5B0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 262EBE00000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 262EC370000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 1E309310000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 1E321B60000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Memory allocated: 26AC7E60000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Memory allocated: 26AE02D0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Memory allocated: 195FEE80000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Memory allocated: 195FF480000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 1D6FB5A0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 1D6FBAD0000 memory reserve \| memory write watch

Contains capabilities to detect virtual machines

Source: C:\Windows\System32\svchost.exe

File opened / queried: SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Contains long sleeps (>= 3 min)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599875
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599765
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599629
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599500
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599390
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599281
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599171
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599062
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598953
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598843
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598734
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598625
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598515
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598406
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598296
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598180
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598057
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597951
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597785
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597568
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597203
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597035
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596906
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596793
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596687
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596575
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596468
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596358
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596250
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596140
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596031
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595921
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595810
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595703
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595593
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595484
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595375
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595265
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595156
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595045
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 594937
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599859
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599750
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599640
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599531
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599421
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599312
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599196
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599093
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598984
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598873
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598765
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598656
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598545
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598437
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598316
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598187
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598062
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597953
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597837
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597733
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597621
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597503
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597375
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597265
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597154
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597047
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596937
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596827
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596718
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596609
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596500
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596378
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596250
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596125
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596004
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595875
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595695
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595578
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595429
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595218
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594703
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594546
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594437
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594328
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594217
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594106
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593999
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593871
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593763
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593656
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593546
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593437
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593328
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Window / User API: threadDelayed 3787
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Window / User API: threadDelayed 5911
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Window / User API: threadDelayed 6931
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Window / User API: threadDelayed 2607
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Window / User API: threadDelayed 7391
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Window / User API: threadDelayed 2412
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Window / User API: threadDelayed 6264
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Window / User API: threadDelayed 3543
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Window / User API: threadDelayed 2959
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Window / User API: threadDelayed 1921
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Window / User API: threadDelayed 1570

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\devcon64.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Microsoft.ApplicationInsights.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.HttpListener.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PkgHelper.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Dynamic.Runtime.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.Exceptions.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIEF9A.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppAnnotation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.NetworkInformation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Temp\{C9A47452-5203-43AE-93A3-1550E296BE1D}\_isres_0x0409.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Interop.WUApiLib.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.UserSecrets.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Encoding.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Primitives.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Temp\{0A2173DD-F1DD-4208-9339-AE15EC138492}\_is54A8.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.ValueTuple.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI30E1.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC3D.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Contracts.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdbook.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Linq.Queryable.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.OpenSsl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.Extensions.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.CSharp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\WBAppVidRec.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encoding.CodePages.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x86.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdsmplui.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.Client.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Temp\{0A2173DD-F1DD-4208-9339-AE15EC138492}\_isres_0x0409.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.FileExtensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\my_setup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIB549.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI27C.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC3D.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperEx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdnup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Dataflow.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiHelper.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\avutil-55.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppBrowser.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.TraceSource.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.Windows.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\stprintmon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Csp.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ObjectModel.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdscale.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdscale.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Algorithms.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\legacy.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Core.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Claims.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdbook.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.ConfigurationExtensions.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Emit.ILGeneration.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.ServiceProcess.ServiceController.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Formatters.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Numerics.Vectors.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\64bits\stgamepad.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Ping.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Process.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\my_setup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Wacom\x86\SRWacomCtrl32.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDetect.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdate.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\stprintmon.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC3D.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileSystemGlobbing.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiCaptor.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon64.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Abstractions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.sys	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Temp\{C9A47452-5203-43AE-93A3-1550E296BE1D}\_is85A.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.NonGeneric.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\64bits\stvad.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.DataAnnotations.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcelt-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsbVhciCtrl64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XDocument.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUACCheck.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Queryable.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebClient.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdsmplui.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdsmplui.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\hostpolicy.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.Utils.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Cryptography.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\XDColMan.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Collections.Immutable.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSocketCtrl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIEF9A.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Memory.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.StackTrace.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI58CE.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\XDColMan.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcrypto-3.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Abstractions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\Mirror2Extend.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.TypeExtensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Encodings.Web.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\it\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Primitives.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.Exceptions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Sinks.File.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\WindowsBase.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC4.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\pl\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlDocument.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1CEA.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libx264-116.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\netstandard.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Handles.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.XmlSerializer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Process.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\browser\lib\net6.0\System.Text.Encodings.Web.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebSockets.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdwmark.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\t2tWinFormAppBarLib.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Microsoft.ApplicationInsights.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\createdump.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.DriveInfo.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Linq.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.MemoryMappedFiles.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Numerics.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Tasks.Parallel.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Diagnostics.Tools.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6A63.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Windows\system32\SRCredentialProvider.dll (copy)	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Console.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NameResolution.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventSource.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Metadata.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Memory.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.VisualBasic.Core.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIEF9A.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdwmark.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Text.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppBS.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI30E1.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF846.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libmp4v2.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppED.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\StructureMap.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI30E1.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Buffers.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.WebHeaderCollection.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.Win32.Primitives.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Hosting.Abstractions.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\QRCoder.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC3D.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.AccessControl.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Buffers.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264WrapperExx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxywddm.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\64bits\stvad.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd64.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.ModelsV3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRChat.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\Microsoft.DiaSymReader.Native.amd64.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.Extensions.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Claims.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\PrnPort.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_iddcx.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Serilog.Extensions.Hosting.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdbook.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon64.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Microsoft.ApplicationInsights.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.ZipFile.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Requests.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Threading.Channels.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.IsolatedStorage.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Console.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\CredentialManagement.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.SecureString.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Transactions.Local.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI1567.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Memory.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Formats.Asn1.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\qrcodelib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdscale.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsb.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-console-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libssl-3.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dll	Jump to dropped file
Source: C:\Windows\Temp\unpack\PreVerCheck.exe	Dropped PE file which has not been started: C:\Windows\Temp\unpack\libssl-3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Pipes.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x64\SRCredentialProvider.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrl.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Debug.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Net.Quic.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\XDColMan.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dll	Jump to dropped file
Source: C:\Windows\Temp\unpack\PreVerCheck.exe	Dropped PE file which has not been started: C:\Windows\Temp\unpack\SRSocketCtrl.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.Annotations.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Temp\{015720C1-18B4-41EA-ABB7-A5C96198F9BE}\_is37B.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Drawing.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SROpus.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Text.Encodings.Web.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Security.Principal.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clrjit.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\64bits\stdpms.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRx264Wrapper.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XmlSerializer.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF846.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Intrinsics.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.Serialization.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI30E1.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Xml.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\32bits\stvad.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore_amd64_amd64_6.0.3524.45918.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF846.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\de\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\swresample-2.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Reflection.DispatchProxy.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Polly.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.MemoryMappedFiles.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Dynamic.Runtime.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\RunScriptAsUser.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRApp.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.ServiceProcess.ServiceController.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\hidkmdf.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd32.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.Compression.Native.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrlEx.dll	Jump to dropped file
Source: C:\Windows\Temp\unpack\PreVerCheck.exe	Dropped PE file which has not been started: C:\Windows\Temp\unpack\libcrypto-3.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\setupdrv.exe	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.EnvironmentVariables.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Web.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\clretwrc.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\32bits\stvspk.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Private.Xml.Linq.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ObjectModel.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ServiceModel.Web.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\ru\Microsoft.Win32.TaskScheduler.resources.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd32.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\hidkmdf.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIF846.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK_x86.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\64bits\stvspk.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.StackTrace.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\32bits\stvad.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.Runtime.Serialization.Xml.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdnup.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x86\SRUsbVhciCtrl32.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\CliWrap.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\stprintmon.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.IO.FileSystem.AccessControl.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIC3D.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordaccore.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.Binder.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdsmplui.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdbook.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_iddcx.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\XDColMan.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIEF9A.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd32.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxyumd32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\msiexec.exe	Dropped PE file which has not been started: C:\Windows\System32\SRC46CC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\System.ComponentModel.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppCam.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Primitives.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stmirror.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.35\mscordbi.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon64.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.sys	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxywddm.sys	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dll	Jump to dropped file

Is looking for software installed on the system

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

Registry key enumerated: More than 126 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\rundll32.exe TID: 3172	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6944	Thread sleep time: -60000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6748	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\SIHClient.exe TID: 1056	Thread sleep time: -180000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1180	Thread sleep count: 3787 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1180	Thread sleep count: 5911 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6548	Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 6548	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2860	Thread sleep time: -120000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2908	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 3028	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\SysWOW64\rundll32.exe TID: 3968	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1504	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5688	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 5872	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1168	Thread sleep count: 6931 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 1168	Thread sleep count: 2607 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2892	Thread sleep count: 37 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2892	Thread sleep time: -34126476536362649s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5632	Thread sleep time: -220000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 5264	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 4900	Thread sleep time: -90000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2460	Thread sleep count: 7391 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 2460	Thread sleep count: 2412 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -600000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -599875s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -599765s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -599629s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -599500s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -599390s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -599281s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -599171s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -599062s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -598953s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -598843s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -598734s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -598625s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -598515s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -598406s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -598296s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -598180s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -598057s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -597951s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -597785s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -597568s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -597203s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -597035s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -596906s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -596793s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -596687s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -596575s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -596468s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -596358s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -596250s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -596140s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -596031s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -595921s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -595810s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -595703s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -595593s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -595484s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -595375s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -595265s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -595156s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -595045s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 1196	Thread sleep time: -594937s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4888	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7016	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep count: 42 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -38738162554790034s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -600000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 3220	Thread sleep count: 6264 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -599859s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -599750s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 3220	Thread sleep count: 3543 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -599640s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -599531s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -599421s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -599312s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -599196s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -599093s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -598984s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -598873s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -598765s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -598656s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -598545s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -598437s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -598316s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -598187s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -598062s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -597953s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -597837s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -597733s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -597621s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -597503s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -597375s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -597265s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -597154s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -597047s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -596937s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -596827s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -596718s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -596609s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -596500s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -596378s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -596250s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -596125s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -596004s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -595875s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -595695s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -595578s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -595429s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -595218s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -594703s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -594546s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -594437s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -594328s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -594217s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -594106s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -593999s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -593871s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -593763s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -593656s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -593546s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -593437s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe TID: 5236	Thread sleep time: -593328s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 1624	Thread sleep count: 2959 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 1624	Thread sleep count: 1921 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 2468	Thread sleep time: -9223372036854770s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 2468	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 5144	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe TID: 3672	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Temp\SplashtopStreamer.exe TID: 5116	Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5688	Thread sleep time: -60000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3908	Thread sleep count: 1570 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 4664	Thread sleep count: 294 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 6004	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 3032	Thread sleep time: -922337203685477s >= -30000s

Queries disk information (often used to detect virtual machines)

Source: C:\Windows\System32\svchost.exe

File opened: PhysicalDrive0

Jump to behavior

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\SysWOW64\rundll32.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Manufacturer,SoftwareElementID,ReleaseDate from Win32_BIOS
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_BIOS
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\CIMV2 : select Manufacturer,SoftwareElementID,ReleaseDate from Win32_BIOS
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard

Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Windows\System32\SIHClient.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select PartOfDomain,Workgroup,Domain FROM Win32_ComputerSystem
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_ComputerSystem

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select MaxClockSpeed from Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	File Volume queried: C:\Windows\System32 FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\Temp\SplashtopStreamer.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Temp\SplashtopStreamer.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Temp\SplashtopStreamer.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\Temp\SplashtopStreamer.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 30000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 90000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 90000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599875
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599765
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599629
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599500
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599390
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599281
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599171
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 599062
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598953
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598843
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598734
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598625
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598515
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598406
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598296
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598180
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 598057
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597951
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597785
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597568
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597203
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 597035
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596906
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596793
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596687
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596575
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596468
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596358
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596250
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596140
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 596031
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595921
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595810
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595703
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595593
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595484
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595375
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595265
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595156
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 595045
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 594937
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 600000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599859
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599750
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599640
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599531
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599421
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599312
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599196
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 599093
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598984
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598873
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598765
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598656
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598545
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598437
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598316
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598187
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 598062
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597953
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597837
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597733
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597621
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597503
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597375
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597265
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597154
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 597047
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596937
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596827
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596718
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596609
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596500
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596378
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596250
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596125
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 596004
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595875
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595695
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595578
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595429
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 595218
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594703
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594546
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594437
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594328
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594217
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 594106
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593999
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593871
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593763
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593656
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593546
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593437
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Thread delayed: delay time: 593328
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Thread delayed: delay time: 30000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\lib\
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\node_modules\
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\node_modules\async\lib\
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\node_modules\async\
Source: C:\Windows\SysWOW64\msiexec.exe	File opened: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\File\node_modules\request\node_modules\form-data\

Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FA47000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service0
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2122716528.000001D6FC601000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware
Source: svchost.exe, 0000002C.00000003.2062091183.000002146001B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk2.06000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 006000C298128B8C02A71A2474AEB5F3DC
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1888418091.000001E3091A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.HV Host ServiceHvHostStopped7
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1888418091.000001E3091A5000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2118125342.000001D6FC400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2120941007.000001D6FC4B7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicvss-#
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2120810707.000001D6FC4AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network.Hyper-V PowerShell Direct ServicevmicvmsessionStopped!7
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1903453070.000001E3222D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceSynchronizes the system time of this virtual machine with the system time of the physical computer.Hyper-V Time Synchronization ServicevmictimesyncStopped
Source: svchost.exe, 0000002C.00000002.2519348537.000002145FC9F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: n Files(@SetPropValue.FriendlyName("VMware Virtual disk");
Source: SIHClient.exe, 00000015.00000003.1899940408.000002B9A6157000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1465864586.000002B9A615A000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000002.1903388695.000002B9A6157000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWp$
Source: ISRT.dll.50.dr	Binary or memory string: _IsVirtualMachine
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0BE6000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0C3F000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1463649405.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1467240104.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1465146592.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1899940408.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1462592594.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1468343840.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1466540378.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1468008740.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D680083000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: !Win32_Service.Name="vmicshutdown"p^G
Source: svchost.exe, 0000002C.00000002.2519348537.000002145FC9F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: s\Syste @SetPropValue.FriendlyName("VMware Virtual disk");
Source: ISRT.dll.50.dr	Binary or memory string: AddIconCallDLLFnComponentViewCreateWindowComponentViewDestroyComponentViewRefreshComponentViewSelectAllComponentViewSetInfoComponentViewSetInfoExCreateFolderDeleteFolderDeleteIconEnableHourGlassEnumFoldersItemsGetCPUTypeGetFontSubGetHandleGetPortsGetSelectedItemStateIsEmptyIsNTAdminIsOSTypeNTIsObjectIsPowerUserLangLoadStringMessageBeepPPathCompactPathPixelPathCrackUrlPathGetDirPathGetDrivePathGetFilePathGetFileExtPathGetFileNamePathGetLongFromShortPathGetPathPathIsValidSyntaxQueryIconReadArrayPropertyReadBoolPropertyReadNumberPropertyReplaceIconShowFolderTextSubSubstituteVerGetFileVersionWriteArrayPropertyWriteBoolPropertyWriteNumberPropertyWriteStringProperty_AppSearch_BrowseForFolder_CCPSearch_CHARArrayToWCHARArray_CalculateAndAddFileCost_CleanupInet_CloseFile_CmdGetHwndDlg_CmdGetMsg_CmdGetParam1_CmdGetParam2_CoGetObject_CompareDWORD_ComponentAddItem_ComponentCompareSizeRequired_ComponentError_ComponentErrorInfo_ComponentFileEnum_ComponentFileInfo_ComponentFilterLanguage_ComponentFilterOS_ComponentGetCost_ComponentGetCostEx_ComponentGetData_ComponentGetItemSize_ComponentGetTotalCost_ComponentGetTotalCostEx_ComponentInitialize_ComponentIsItemSelected_ComponentListItems_ComponentLoadTarget_ComponentMoveData_ComponentPatch_ComponentReinstall_ComponentRemoveAll_ComponentRemoveAllInLogOnly_ComponentSaveTarget_ComponentSelectItem_ComponentSelectNew_ComponentSetData_ComponentSetupTypeEnum_ComponentSetupTypeGetData_ComponentSetupTypeSet_ComponentTotalSize_ComponentTransferData_ComponentUpdate_ComponentValidate_ComponentViewCreate_ComponentViewQueryInfo_CopyBytes_CreateDir_CreateObject_CreateRegistrySet_CreateShellObjects_CtrlGetNotificationCode_CtrlGetParentWindowHelper_CtrlGetSubCommand_CtrlGetUrlForLinkClicked_CtrlSetHtmlContent_CtrlSetMLERichText_CtrlSetMLERichTextEx_DIFxDriverPackageGetPath_DIFxDriverPackageInstall_DIFxDriverPackagePreinstall_DIFxDriverPackageUninstall_DefineDialog_DeleteCHARArray_DialogSetFont_DisableBranding_DisableStatus_Divide_DoInstall_DoSprintf_DotNetCoCreateObject_DotNetUnloadAppDomain_EnableDialogCache_EnablePrevDialog_EnableSkins_EnableStatus_EnableWow64FsRedirection_EndDialog_ExistsDir_ExistsDisk_ExistsFile_ExitInstall_FeatureAddCost_FeatureAddUninstallCost_FeatureGetCost_FeatureInitialize_FeatureSpendCost_FeatureSpendUninstallCost_FileCopy_FloatingPointOperation_GenerateFileMD5SignatureHex_GetByte_GetCurrentDialogName_GetDiskInfo_GetDiskSpaceEx_GetDiskSpaceExEx_GetFont_GetGlobalFlags_GetGlobalMemorySize_GetInetFileSize_GetInetFileTime_GetLine_GetLineSize_GetObject_GetObjectByIndex_GetObjectCount_GetProcessorInfo_GetRunningChildProcess_GetRunningChildProcessEx_GetRunningChildProcessEx2_GetSelectedTreeComponent_GetStandardLangId_GetSupportDir_GetSystemDpi_GetTrueTypeFontFileInfo_GetVirtualMachineType_InetEndofTransfer_InetGetLastError_InetGetNextDisk_InitInstall_IsFontTypefaceNameAvailable_IsInAdminGroup_IsLangSupported_IsSkinLoaded_IsVirtualMachine_IsWindowsME_IsWow64_KillProcesses_ListAddItem_ListAddString_ListCount_List
Source: AteraAgent.exe, 00000014.00000002.1437477207.0000021EE0B60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: SIHClient.exe, 00000015.00000003.1463649405.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1467240104.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1465146592.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1899940408.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1462592594.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1468343840.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1466540378.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1468008740.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000002.1903388695.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp, SIHClient.exe, 00000015.00000003.1456240663.000002B9A61A9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh
Source: svchost.exe, 00000004.00000002.2520072076.0000023AC1D02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2122716528.000001D6FC601000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1888418091.000001E3091A5000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2115076507.000001D6FB304000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1888418091.000001E3091A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.Hyper-V Data Exchange ServicevmickvpexchangeStoppedE
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D680083000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \|Provides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1903453070.000001E3222D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.Hyper-V Guest Service InterfacevmicguestinterfaceStoppedH
Source: AgentPackageAgentInformation.exe, 0000001A.00000000.1623145179.000001E307E92000.00000002.00000001.01000000.00000018.sdmp	Binary or memory string: VIRUSfighterAVMware Carbon Black Cloud Sensor7VMware Carbon Black Defense/VMware Carbon Black EDR9VMware Carbon Black Response
Source: AgentPackageAgentInformation.exe, 0000001A.00000002.1658449420.000001E3210A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FA47000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: !Hyper-V PowerShell Direct Service0
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D680083000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1901770604.000001E322252000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServicevmicheartbeatvmicheartbeatStopped
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1843120416.00000195FEEB2000.00000002.00000001.01000000.0000001F.sdmp	Binary or memory string: vmware
Source: svchost.exe, 0000002C.00000002.2517947360.000002145FC3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JSetPropValue.Manufacturer("VMware");
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1901770604.000001E322252000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServicevmicshutdownvmicshutdownStopped:tE
Source: AgentPackageMonitoring.exe, 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: IsVirtualMachine
Source: svchost.exe, 0000002C.00000002.2519348537.000002145FC9F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: x86)\Au*@SetPropValue.FriendlyName("VMware Virtual disk");
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D680083000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "Win32_Service.Name="vmicheartbeat"p^G
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D680083000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Time Synchronization Service
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2118734312.000001D6FC437000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2120810707.000001D6FC4AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat\|(;
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FA47000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface0
Source: svchost.exe, 0000002C.00000002.2521230614.0000021460123000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SPACES_PhysicalDisk{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{3c527940-1853-195e-fb1a-27cdb1f80e4a}6000C298128B8C02A71A2474AEB5F3DCVMware Virtual diskVMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D680083000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Win32_Service.Name="vmicvss"p^G
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FA47000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Volume Shadow Copy Requestor0
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1888418091.000001E3091A5000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D680083000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2118125342.000001D6FC400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1903453070.000001E3222D0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2120810707.000001D6FC4AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Provides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1903453070.000001E3222D0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2120810707.000001D6FC4AB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D680083000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D680083000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: -Hyper-V Remote Desktop Virtualization Service
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D680083000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2121618369.000001D6FC5A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll..
Source: svchost.exe, 0000002C.00000002.2517947360.000002145FC3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dSetPropValue.FriendlyName("VMware Virtual disk");
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FA47000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: -Hyper-V Remote Desktop Virtualization Service0
Source: svchost.exe, 00000004.00000002.2519113210.0000023AC1C4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D680083000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: qProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2118734312.000001D6FC437000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServicevmicvssvmicvssStopped
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2115076507.000001D6FB304000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides an interface for the Hyper-V hypervisor to provide per-partition performance counters to the host operating system.HV Host ServiceHvHostStoppedl
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1903453070.000001E3222D0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2120810707.000001D6FC4AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FA47000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service0
Source: svchost.exe, 00000004.00000002.2519434395.0000023AC1C64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 0000002C.00000002.2517947360.000002145FC3C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMware20,1NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dnSS @
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2118515060.000001D6FC42A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServicevmicheartbeatvmicheartbeatStoppedI
Source: rundll32.exe, 0000000B.00000002.1348585728.0000000002F82000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000C.00000002.2517237285.0000021E9842B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000002.1517127669.0000000002C75000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000019.00000003.1514310578.0000000002C74000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000001E.00000002.2561782268.00000262ECB2A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000021.00000002.1904166583.000001E32236A000.00000004.00000020.00020000.00000000.sdmp, AgentPackageSTRemote.exe, 00000027.00000002.2374985635.0000026AE0C20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: svchost.exe, 0000002C.00000002.2520226491.000002145FCCF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk2.06000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
Source: svchost.exe, 0000002C.00000002.2517381036.000002145FC13000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk6000C298128B8C02A71A2474AEB5F3DC0VMwareVirtual disk
Source: svchost.exe, 00000004.00000002.2519113210.0000023AC1C4B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1888418091.000001E3091A5000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2118125342.000001D6FC400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides a platform for communication between the virtual machine and the operating system running on the physical computer.Hyper-V Remote Desktop Virtualization ServicevmicrdvStopped
Source: svchost.exe, 00000004.00000002.2518438117.0000023AC1C2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: svchost.exe, 00000004.00000002.2518438117.0000023AC1C2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: (@\??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1903453070.000001E3222D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides a mechanism to manage virtual machine with PowerShell via VM session without a virtual network.Hyper-V PowerShell Direct ServicevmicvmsessionStopped
Source: AgentPackageMonitoring.exe, 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, AgentPackageMonitoring.exe, 0000002A.00000002.1843120416.00000195FEEB2000.00000002.00000001.01000000.0000001F.sdmp, AgentPackageMonitoring.exe.22.dr	Binary or memory string: get_IsVirtualMachine
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2120810707.000001D6FC4AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides an interface for the Hyper-V host to interact with specific services running inside the virtual machine.Hyper-V Guest Service InterfacevmicguestinterfaceStopped
Source: ISRT.dll.50.dr	Binary or memory string: _GetVirtualMachineType
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2122716528.000001D6FC601000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: MSFT_PhysicalDisk{1}\\user-PC\root/Microsoft/Windows/Storage/Providers_v2\SPACES_PhysicalDisk.ObjectId="{a33c734b-61ca-11ee-8c18-806e6f6e6963}:PD:{3c527940-1853-195e-fb1a-27cdb1f80e4a}"6000C298128B8C02A71A2474AEB5F3DCVMware Virtual diskVMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1903453070.000001E3222D0000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000033.00000002.2120810707.000001D6FC4AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FA47000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: $Hyper-V Time Synchronization Service0
Source: svchost.exe, 00000004.00000002.2519434395.0000023AC1C64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: svchost.exe, 00000004.00000002.2519434395.0000023AC1C64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: svchost.exe, 00000004.00000002.2517378314.0000023AC1C02000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: HvHostWdiSystemHostScDeviceEnumWiaRpctrkwksAudioEndpointBuilderhidservdot3svcUmRdpServiceDsSvcfhsvcvmickvpexchangevmicshutdownvmicguestinterfacevmicvmsessionsvsvcStorSvcWwanSvcvmicvssDevQueryBrokerNgcSvcsysmainNetmanTabletInputServicePcaSvcDisplayEnhancementServiceIPxlatCfgSvcDeviceAssociationServiceNcbServiceEmbeddedModeSensorServicewlansvcCscServiceWPDBusEnumMixedRealityOpenXRSvc
Source: svchost.exe, 0000002C.00000002.2520226491.000002145FCCF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219SetPropValue.PhysicalLocation("PCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0");
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2120810707.000001D6FC4AB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceSynchronizes the system time of this virtual machine with the system time of the physical computer.Hyper-V Time Synchronization ServicevmictimesyncStoppedo6
Source: AteraAgent.exe, 00000016.00000002.1974036972.000001BC8FA47000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service0
Source: AgentPackageAgentInformation.exe, 00000021.00000002.1906020061.000001E32239A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: re Virtual diskVMwareVirtual disk6000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 0
Source: svchost.exe, 0000002C.00000002.2519348537.000002145FCC2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVirtual disk2.06000c298128b8c02a71a2474aeb5f3dcPCI Slot 32 : Bus 2 : Device 0 : Function 0 : Adapter 0 : Port 0 : Target 0 : LUN 006000C298128B8C02A71A2474AEB5F3DCubl
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2091433088.000001D680083000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: !Hyper-V PowerShell Direct Service
Source: AgentPackageAgentInformation.exe, 00000033.00000002.2118125342.000001D6FC400000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Win32_ServiceProvides a mechanism to exchange data between the virtual machine and the operating system running on the physical computer.Hyper-V Data Exchange ServicevmickvpexchangeStopped
Source: AteraAgent.exe, 00000016.00000002.2010230473.000001BCA82A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW@

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Checks if the current process is being debugged

Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort
Source: C:\Windows\System32\sppsvc.exe	Process queried: DebugPort

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Code function: 42_2_00007FFB028C7B4C __crtCaptureCurrentContext,IsDebuggerPresent,__crtUnhandledException,

42_2_00007FFB028C7B4C

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

42_2_00007FFB0290AFB0

Contains functionality to dynamically determine API calls

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

42_2_00007FFB028D1910

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

42_2_00007FFB0290AFB0

Enables debug privileges

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Code function: 42_2_00007FFB028CACD4 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

42_2_00007FFB028CACD4

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 40.119.152.241 443

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="contato@agiagro.com.br" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000MmQV4IAN" /AgentId="69d31729-b40a-4033-aac0-eb6fc5db2da4"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "d17e2baf-c6e6-4c76-82cc-8f8fe3405907" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "8fcb6d3c-d337-43d4-afb7-ac811e04c487" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "f0d01c4a-6356-4ebf-9772-e6821cee1b63" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "6c2f305d-73a5-47a5-9074-00ebd014d59f" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIn0=" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "946a9a47-9b54-413f-b7db-d3937ecf2585" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "6b80f9c0-5b9a-4e7b-bfc9-0932c0402886" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000MmQV4IAN
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: unknown unknown
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Process created: C:\Windows\Temp\SplashtopStreamer.exe "C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1
Source: C:\Windows\Temp\SplashtopStreamer.exe	Process created: C:\Windows\Temp\unpack\PreVerCheck.exe "C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=1
Source: C:\Windows\Temp\unpack\PreVerCheck.exe	Process created: C:\Windows\SysWOW64\msiexec.exe msiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office16\ospp.vbs" /dstatus
Source: C:\Windows\System32\cmd.exe	Process created: unknown unknown

Uses taskkill to terminate processes

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="contato@agiagro.com.br" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000mmqv4ian" /agentid="69d31729-b40a-4033-aac0-eb6fc5db2da4"
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "d17e2baf-c6e6-4c76-82cc-8f8fe3405907" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000mmqv4ian
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "8fcb6d3c-d337-43d4-afb7-ac811e04c487" agent-api.atera.com/production 443 or8ixli90mf "identified" 001q300000mmqv4ian
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "f0d01c4a-6356-4ebf-9772-e6821cee1b63" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui" 001q300000mmqv4ian
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "6c2f305d-73a5-47a5-9074-00ebd014d59f" agent-api.atera.com/production 443 or8ixli90mf "install eyjsbw1db2rlijoiafpdrezqaes3nw1kin0=" 001q300000mmqv4ian
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "946a9a47-9b54-413f-b7db-d3937ecf2585" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q300000mmqv4ian
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "6b80f9c0-5b9a-4e7b-bfc9-0932c0402886" agent-api.atera.com/production 443 or8ixli90mf "generalinfo" 001q300000mmqv4ian
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="contato@agiagro.com.br" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000mmqv4ian" /agentid="69d31729-b40a-4033-aac0-eb6fc5db2da4"	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "d17e2baf-c6e6-4c76-82cc-8f8fe3405907" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000mmqv4ian
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "8fcb6d3c-d337-43d4-afb7-ac811e04c487" agent-api.atera.com/production 443 or8ixli90mf "identified" 001q300000mmqv4ian
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "f0d01c4a-6356-4ebf-9772-e6821cee1b63" agent-api.atera.com/production 443 or8ixli90mf "generalinfo fromgui" 001q300000mmqv4ian
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagestremote\agentpackagestremote.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "6c2f305d-73a5-47a5-9074-00ebd014d59f" agent-api.atera.com/production 443 or8ixli90mf "install eyjsbw1db2rlijoiafpdrezqaes3nw1kin0=" 001q300000mmqv4ian
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackagemonitoring\agentpackagemonitoring.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "946a9a47-9b54-413f-b7db-d3937ecf2585" agent-api.atera.com/production 443 or8ixli90mf "syncprofile" 001q300000mmqv4ian
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" 69d31729-b40a-4033-aac0-eb6fc5db2da4 "6b80f9c0-5b9a-4e7b-bfc9-0932c0402886" agent-api.atera.com/production 443 or8ixli90mf "generalinfo" 001q300000mmqv4ian

Source: MSI58CE.tmp.6.dr	Binary or memory string: ?OPTYPE_PROGMAN_FIELDSWWW
Source: MSI58CE.tmp.6.dr	Binary or memory string: ISLOG_VERSION_INFO..\..\..\Shared\LogServices2\LogDB.cppOPTYPE_PROGMANISLOGDB_USER_PROPERTIES4

Contains functionality to query CPU information (cpuid)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Code function: 42_2_00007FFB028C739C cpuid

42_2_00007FFB028C739C

Queries the product ID of Windows

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion DigitalProductId

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\svchost.exe	Queries volume information: C: VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIEF9A.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIEF9A.tmp-\AlphaControlAgentInstallation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIF846.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIF846.tmp-\AlphaControlAgentInstallation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIF846.tmp-\Newtonsoft.Json.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIC3D.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIC3D.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI30E1.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI30E1.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI30E1.tmp-\Newtonsoft.Json.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Tasks\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Tasks.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Collections\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Collections.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ValueTuple\v4.0_4.0.0.0__cc7b13ffcd2ddd51\System.ValueTuple.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation
Source: C:\Windows\SysWOW64\msiexec.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Code function: 42_2_00007FFB028CCC04 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

42_2_00007FFB028CCC04

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

42_2_00007FFB028C85D4

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Changes security center settings (notifications, updates, antivirus, firewall)

Source: C:\Windows\System32\svchost.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Provider\Av\{D68DDC3A-831F-4fae-9E44-DA132C1ACF46} STATE

Jump to behavior

AV process strings found (often used to terminate AV products)

Source: svchost.exe, 00000007.00000002.2520461985.000001F24B902000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: gramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000007.00000002.2520461985.000001F24B902000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Adds / modifies Windows certificates

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\System32\svchost.exe	WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA 'AntiVirusProduct' OR TargetInstance ISA 'FirewallProduct' OR TargetInstance ISA 'AntiSpywareProduct'
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files\Windows Defender\MpCmdRun.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiVirusProduct
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from AntiSpywareProduct
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select displayName,productState from FirewallProduct

Remote Access Functionality

Yara detected AteraAgent

Source: Yara match	File source: 26.2.AgentPackageAgentInformation.exe.1e308250000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 39.0.AgentPackageSTRemote.exe.26ac7a50000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.2.AgentPackageMonitoring.exe.195feeb0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 42.0.AgentPackageMonitoring.exe.195fea10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.AteraAgent.exe.21ec66a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 26.0.AgentPackageAgentInformation.exe.1e307e90000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000014.00000002.1436215584.0000021EC8419000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1888418091.000001E30913B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1434933315.0000021EC68E2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2014420654.000001BCA8670000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2015601609.000001BCA86F1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.00000262804C8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1957749611.00000009D90F5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2348422967.0000026AC844B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1768466740.000001594FFA0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.00000262807F5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1436215584.0000021EC841C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2091433088.000001D68059D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2561782268.00000262ECB0C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000000.1776005419.00000195FEA12000.00000002.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1892336256.000001E309D5F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2374985635.0000026AE0CBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2315188935.0000026AC7C80000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FCAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2557101634.00000262EBB6D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1845105826.00000195FFC08000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1768377027.000001594FDD0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1768377027.000001594FDDB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1841036943.0000019598B76000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FC6D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FA47000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2557101634.00000262EBB30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2315188935.0000026AC7CCC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.00000262805DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC9001C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1350402891.0000000004C14000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1841781096.00000195FEB9D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FFC6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1664077063.0000025D43D9C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2564491155.00000262ECE90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.00000262808D3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.1350402891.0000000004B71000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1835216098.0000019580001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2010230473.000001BCA8260000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2132278121.00007FFB22750000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.0000026280001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1660963183.00007FFB22750000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1436215584.0000021EC84F6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.000002628087C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1654927825.000001E307F90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1891720930.000001E309440000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1888418091.000001E309120000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2315188935.0000026AC7C40000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1962237945.000001BC8F41B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1654927825.000001E307FD1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000025.00000002.1766996060.0000019DFDC10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2115076507.000001D6FB302000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.1365685073.0000000003FA8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000003.2053399123.00000138EEFD7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.00000262808DA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1842672350.00000195FECF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.00000262808B6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FE0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1841781096.00000195FEB1C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1843120416.00000195FEEB2000.00000002.00000001.01000000.0000001F.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1434933315.0000021EC68AB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2091433088.000001D680073000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2115076507.000001D6FB2C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2561782268.00000262ECB8E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1892336256.000001E309D8F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1436215584.0000021EC8444000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2561782268.00000262ECB2A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2575429878.00007FFB22750000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC90158000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2117470713.000001D6FB5F0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2559992656.00000262EBE20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2348422967.0000026AC82D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FD28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1297756832.0000000004CDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2374985635.0000026AE0C3E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2115076507.000001D6FB2BB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.2290862731.0000000000750000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1892336256.000001E309CC3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2091433088.000001D680001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FE9F000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1888418091.000001E3091A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FD6A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1656982282.000001E3087A3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000003.2004577350.00000138EF120000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1664750521.0000025D44623000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1654927825.000001E30801D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1436215584.0000021EC850C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1664077063.0000025D43DC8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1840870225.0000019598967000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2556677866.00000262EB9C0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2557101634.00000262EBBBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2564491155.00000262ECF23000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1434933315.0000021EC68C1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1937563309.00007FFB22750000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.0000026280575000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1901770604.000001E322220000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2015601609.000001BCA86FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1906238453.000001E3224A3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1525650157.00000000047E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1434933315.0000021EC6880000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.000002628078B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1436215584.0000021EC84C2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.0000026280510000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1435440015.0000021EC6A70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1841781096.00000195FEB50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FE10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1845105826.00000195FFBF6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.000002628064E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2014420654.000001BCA86AA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC90028000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FDC2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1962237945.000001BC8F3CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1437477207.0000021EE0C1A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1434933315.0000021EC6910000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1664750521.0000025D445B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2121346286.000001D6FC4F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1892336256.000001E309D5C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1841740985.00000195FEB00000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1892336256.000001E309D8B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1664077063.0000025D43D7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2374985635.0000026AE0C20000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000002.1768377027.000001594FDF3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1840909645.0000019598B65000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2115076507.000001D6FB304000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2115076507.000001D6FB280000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000023.00000003.1698361399.000001594FFC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.00000262807F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1866889823.00007FFB02A59000.00000004.00000001.01000000.0000001E.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1892336256.000001E309D21000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1436215584.0000021EC844A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1664039020.0000025D43D50000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FB02000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FD67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1436069912.0000021EC8320000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.1525650157.0000000004741000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1303253528.00000000048CA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2053895683.00000138EEFB0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1656424184.000001E3081E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1656982282.000001E308793000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FEEA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1664750521.0000025D44633000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2348422967.0000026AC8348000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1444741920.00007FFB0B840000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2032625355.00007FFB22750000.00000004.00000001.01000000.00000013.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1835216098.00000195805B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2512577831.000000F44E5C5000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1892336256.000001E309BF3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1434933315.0000021EC68A3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2124094453.000001D6FC699000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FA74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1439568660.0000021EE0EB2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002F.00000002.2290718837.0000000000550000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.0000026280578000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.1383292218.0000021EC66A2000.00000002.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FFFE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.1664077063.0000025D43D60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2118125342.000001D6FC400000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1962237945.000001BC8F390000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2053895683.00000138EEFBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1892336256.000001E309B61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1960487121.000001BC8F1D0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.000002628096D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1961117785.000001BC8F310000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1654927825.000001E307FD4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1436215584.0000021EC8391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1841781096.00000195FEB10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.0000026280064000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FFCC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2091433088.000001D6805E8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2053895683.00000138EEFD3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2091433088.000001D6805E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.0000026280816000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1901770604.000001E322252000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.00000262808BE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2015601609.000001BCA86EC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1892336256.000001E309D1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.0000026280651000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1656982282.000001E308721000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000035.00000002.2054248515.00000138EF100000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000002.1656716822.000001E308252000.00000002.00000001.01000000.0000001A.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2564491155.00000262ECF11000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2564491155.00000262ECF41000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2014420654.000001BCA869B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1888418091.000001E30915B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2010230473.000001BCA833C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2557101634.00000262EBB8D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001A.00000000.1623145179.000001E307E92000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2315188935.0000026AC7C65000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2347741518.0000026AC7F30000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2091433088.000001D680047000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000000.1719532308.0000026AC7A52000.00000002.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1436215584.0000021EC8442000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.1443441000.00007FFAAB614000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8FBB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC8F9F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1903528454.000001E3222F5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.1449338023.000000000444C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000027.00000002.2348422967.0000026AC84D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.1974036972.000001BC9005B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000002A.00000002.1835216098.00000195800ED000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001E.00000002.2521265011.0000026280129000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000021.00000002.1892336256.000001E309DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2091433088.000001D680083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000033.00000002.2091433088.000001D6801D4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 6420, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 2876, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1792, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AteraAgent.exe PID: 2020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AteraAgent.exe PID: 1912, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 1532, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 4484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 5192, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AteraAgent.exe PID: 6120, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 2092, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 4204, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cscript.exe PID: 4472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageSTRemote.exe PID: 2992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageMonitoring.exe PID: 7076, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: SplashtopStreamer.exe PID: 5112, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 6804, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: cmd.exe PID: 4788, type: MEMORYSTR
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF2237F4E9D297A014.TMP, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFF969F38483E27E5E.TMP, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.Common.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI30E1.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF03125EAE88006211.TMP, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF6F58E4A8AF7C3683.TMP, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI145C.tmp, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSIC3D.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSIF846.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\System32\InstallUtil.InstallLog, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFEBD01078416FA7FA.TMP, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFA995A233DF6BCD2A.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFC953259130AC3042.TMP, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF3DD454460BE2E1AB.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSIEF9A.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
Source: Yara match	File source: C:\Config.Msi\67ee34.rbs, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\Microsoft_.NET_Runtime_-_6.0.35_(x64)_20241025105223_000_dotnet_runtime_6.0.35_win_x64.msi.log, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingPackageExtensions.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe, type: DROPPED

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

42_2_00007FFB0290B9F0

Windows Analysis Report
ALVARA-072.msi

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

ID:	1542082
Product:	CloudBasic
Start time:	14:58:08
Start date:	25.10.2024
Sample:	ALVARA-072.msi
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	a232621b778a64163b77169820ad579e
SHA1:	252a8e0aa905aa1880161ab53aaeb54e345991a8
SHA256:	8c684bf0b13e4bc010d63490bd53593cd627be43e8178117c80e4b836881dad6
Filetype:	Microsoft Windows Installer (60509/1) 57.88%

Windows Analysis Report ALVARA-072.msi

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Windows Analysis Report
ALVARA-072.msi