Windows Analysis Report
5c13e6.msi

Overview

General Information

Sample name:	5c13e6.msi
Analysis ID:	1564527
MD5:	0220a7d4b82136a3c7973a627e4b5f50
SHA1:	0358023548ea3d3dd86de19abb7c2ddb15010736
SHA256:	0ef72d3570f61432dcb4f1afbb64c54775d497feaa127e5771dd550f245fd28e
Tags:	msiMuddyWaterTA450user-smica83
Infos:

Detection

AteraAgent

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected AteraAgent

AI detected suspicious sample

Creates files in the system32 config directory

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Reads the Security eventlog

Reads the System eventlog

Yara detected Generic Downloader

Abnormal high CPU Usage

Adds / modifies Windows certificates

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks for available system drives (often done to infect USB drives)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Creates or modifies windows services

Deletes files inside the Windows folder

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Drops certificate files (DER)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Stores large binary data to the registry

Suricata IDS alerts with low severity for network traffic

Uses code obfuscation techniques (call, push, ret)

Uses net.exe to stop services

Uses taskkill to terminate processes

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: 5c13e6.msi

ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 92.5% probability

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\InstallUtil.InstallLog			Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog			Jump to behavior

Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.158.75.4:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49869 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49887 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49889 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49894 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49915 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49922 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49931 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49946 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49952 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49979 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49976 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49977 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49978 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50010 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50026 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50044 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50060 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50089 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50098 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50114 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50129 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50134 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50137 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50142 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50146 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50150 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50153 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50158 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50166 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50172 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50175 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50176 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50179 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50182 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50185 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50186 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50197 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50202 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50207 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50210 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50219 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50222 version: TLS 1.2

Source:	Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 00000014.00000000.2076737849.00000249FF0A2000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.13.dr
Source:	Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000003.00000003.1668037110.00000000047B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000490A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.16.dr, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.3.dr, AlphaControlAgentInstallation.dll.4.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AgentPackageAgentInformation.exe, 00000014.00000002.2116400747.00000249FFB4A000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.13.dr
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000C.00000000.1750493961.000002B01FEA2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.1.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4120053577.000001635E472000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2116400747.00000249FFB4A000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.13.dr, Newtonsoft.Json.dll.1.dr
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000015.00000002.2115276194.0000025EA7532000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.13.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: System.ValueTuple.dll.1.dr
Source:	Binary string: t.pdb source: AteraAgent.exe, 0000000D.00000002.4119372765.000001635E33B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: 5c13e6.msi, MSI8753.tmp.1.dr, MSI87B1.tmp.1.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000003.00000003.1668037110.00000000047B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000490A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000015.00000002.2115276194.0000025EA7532000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.13.dr
Source:	Binary string: BouncyCastle.Crypto.pdbSHA256 source: BouncyCastle.Crypto.dll.1.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000003.00000003.1668037110.00000000047B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000490A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr
Source:	Binary string: mscorlib.pdb source: AteraAgent.exe, 0000000D.00000002.4120518089.000001635E6FF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000C.00000000.1750493961.000002B01FEA2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.1.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: System.ValueTuple.dll.1.dr
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000C.00000002.1805925767.000002B03A3F2000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.1.dr
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000C.00000002.1805925767.000002B03A3F2000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.1.dr
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: 5c13e6.msi, MSI6BB9.tmp.1.dr, MSI82CC.tmp.1.dr, MSI6995.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, MSIA1A4.tmp.1.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000D.00000002.4122014011.000001635E9B2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.1.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000D.00000002.4122014011.000001635E9B2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.1.dr
Source:	Binary string: BouncyCastle.Crypto.pdb source: BouncyCastle.Crypto.dll.1.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4120053577.000001635E472000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.1.dr
Source:	Binary string: m.pdb source: AteraAgent.exe, 0000000D.00000002.4119372765.000001635E33B000.00000004.00000020.00020000.00000000.sdmp

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFD9B401873h	12_2_00007FFD9B400C54
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFD9B40227Bh	12_2_00007FFD9B400C54
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFD9B401A44h	12_2_00007FFD9B40187E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFD9B401FFFh	12_2_00007FFD9B40187E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFD9B401FFFh	12_2_00007FFD9B401EB6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFD9B401FFFh	12_2_00007FFD9B401E88
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFD9B401FFFh	12_2_00007FFD9B401E7E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFD9B3F4ECBh	13_2_00007FFD9B3F4C41
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFD9B40B972h	13_2_00007FFD9B40B5E7
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFD9B40B972h	13_2_00007FFD9B40B620
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFD9B3F4ECBh	13_2_00007FFD9B3F4E45
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFD9B3F1873h	13_2_00007FFD9B3F0C7D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFD9B3F227Bh	13_2_00007FFD9B3F0C7D

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 20.0.AgentPackageAgentInformation.exe.249ff0a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0180680e-e6cb-400e-83d6-3808eb668088&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d4bd921a-933d-426f-b266-ff3906eda0dc&tt=0&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=fe0f6a4a-994b-4250-bc9b-b5822a0b9625&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=85b6ec95-85ff-48c0-b641-0635eec35d5a&tr=31&tt=17327967181942066&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c1235ff2-1096-4bcd-b42c-92f552aac0b4&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=31245592-ca57-413a-838a-25566e4ba460&tr=31&tt=17327967212159752&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?UyM4OKsXi02Wlo6WrMNEmiHtL2QX34SATWbzw9cq4uYc0GhCgNxtNi1ckT3zhZxu HTTP/1.1Host: ps.atera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=82932ee4-68f1-41e8-a024-0cd7c0b9453a&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0ac8d5be-9b13-42b0-ad4f-ffb3f59f5a96&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ac4fb316-6088-4f09-94da-3e83236acc31&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=4456492b-4d48-43aa-9701-ba768c2eafcf&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=329cd285-2dd4-4cef-8f0f-afb56ab5caec&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9d7c3066-85d2-4aca-befa-2fb669ffcf02&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=6eac0c19-ed81-4142-86ce-d4bfe2f9e3ff&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8b625c78-4452-4758-a3e8-31be98496c25&tt=0&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=bb8be473-c9e0-49d3-afb3-ff89cc2038f2&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=78d5a8c0-6e60-43a1-8c43-b430a42d1135&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=51b5a75b-eddb-4e11-99de-ac8ea9cd314a&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=cad12679-119f-4810-9e43-100014c76ca9&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=650d986d-f869-4f59-a614-09a3b5f2c7c9&tt=0&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=06a8ce5e-13a8-41de-a6cf-80410b04d784&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=35e6706e-2565-4810-9687-a6621cd90331&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=4d7f2f21-f9de-4400-92e4-bcfafd642b55&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a543e4d2-478c-4637-a32f-01e5c1d96820&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=5217d3d2-da87-42e8-9726-56daff914c54&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=363c6e5c-519b-49a4-bb28-3c290a721f04&tt=0&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=98770db9-b9c5-40a7-84a7-ea720f9b7aa0&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d8be8b67-b9dc-4bd8-9f60-1df842ebee06&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ba6a13f1-ebc9-4a1b-b6ac-2f0177a0d113&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=6034c0a1-69c3-4133-811f-0c50e51722c0&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=79b0f33b-8550-42a3-8fa1-b61745ab84d2&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c7e4c087-67a4-410d-b929-654d988ae41f&tr=31&tt=17327967212159752&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e8f28b6b-37cc-4f5c-8acf-ec9a0854bbaf&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=914d5960-15b7-4468-88cf-9462e85c2124&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cf670f90-2c48-42f2-8c3d-1518a12474cf&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 108.158.75.4 108.158.75.4
Source: Joe Sandbox View	IP Address: 13.232.67.198 13.232.67.198
Source: Joe Sandbox View	IP Address: 13.232.67.199 13.232.67.199

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49755 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49750 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49781 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49821 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49922 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49894 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49847 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49952 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50222 -> 13.232.67.199:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49979 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49877 -> 13.232.67.198:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0180680e-e6cb-400e-83d6-3808eb668088&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d4bd921a-933d-426f-b266-ff3906eda0dc&tt=0&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=fe0f6a4a-994b-4250-bc9b-b5822a0b9625&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=85b6ec95-85ff-48c0-b641-0635eec35d5a&tr=31&tt=17327967181942066&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c1235ff2-1096-4bcd-b42c-92f552aac0b4&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=31245592-ca57-413a-838a-25566e4ba460&tr=31&tt=17327967212159752&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?UyM4OKsXi02Wlo6WrMNEmiHtL2QX34SATWbzw9cq4uYc0GhCgNxtNi1ckT3zhZxu HTTP/1.1Host: ps.atera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=82932ee4-68f1-41e8-a024-0cd7c0b9453a&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0ac8d5be-9b13-42b0-ad4f-ffb3f59f5a96&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ac4fb316-6088-4f09-94da-3e83236acc31&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=4456492b-4d48-43aa-9701-ba768c2eafcf&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=329cd285-2dd4-4cef-8f0f-afb56ab5caec&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9d7c3066-85d2-4aca-befa-2fb669ffcf02&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=6eac0c19-ed81-4142-86ce-d4bfe2f9e3ff&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8b625c78-4452-4758-a3e8-31be98496c25&tt=0&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=bb8be473-c9e0-49d3-afb3-ff89cc2038f2&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=78d5a8c0-6e60-43a1-8c43-b430a42d1135&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=51b5a75b-eddb-4e11-99de-ac8ea9cd314a&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=cad12679-119f-4810-9e43-100014c76ca9&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=650d986d-f869-4f59-a614-09a3b5f2c7c9&tt=0&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=06a8ce5e-13a8-41de-a6cf-80410b04d784&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=35e6706e-2565-4810-9687-a6621cd90331&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=4d7f2f21-f9de-4400-92e4-bcfafd642b55&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a543e4d2-478c-4637-a32f-01e5c1d96820&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=5217d3d2-da87-42e8-9726-56daff914c54&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=363c6e5c-519b-49a4-bb28-3c290a721f04&tt=0&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=98770db9-b9c5-40a7-84a7-ea720f9b7aa0&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d8be8b67-b9dc-4bd8-9f60-1df842ebee06&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ba6a13f1-ebc9-4a1b-b6ac-2f0177a0d113&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=6034c0a1-69c3-4133-811f-0c50e51722c0&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=79b0f33b-8550-42a3-8fa1-b61745ab84d2&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c7e4c087-67a4-410d-b929-654d988ae41f&tr=31&tt=17327967212159752&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e8f28b6b-37cc-4f5c-8acf-ec9a0854bbaf&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=914d5960-15b7-4468-88cf-9462e85c2124&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cf670f90-2c48-42f2-8c3d-1518a12474cf&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com

Source: global traffic	DNS traffic detected: DNS query: agent-api.atera.com
Source: global traffic	DNS traffic detected: DNS query: ps.pndsn.com
Source: global traffic	DNS traffic detected: DNS query: ps.atera.com

Source: AteraAgent.exe, 0000000C.00000000.1750493961.000002B01FEA2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163458F1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe.1.dr	String found in binary or memory: http://acontrol.atera.com/
Source: rundll32.exe, 00000004.00000002.1728881275.0000000005135000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345EF3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345EE5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345EDD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345EFB000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1869070441.00000000051A5000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2114097425.000002498012F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2115443883.0000025EA772F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://agent-api.atera.com
Source: rundll32.exe, 00000004.00000002.1728881275.0000000005135000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345EF3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345EDD000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1869070441.00000000051A5000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2114097425.000002498012F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2115443883.0000025EA772F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://atera-agent-api-eu.westeurope.cloudapp.azure.com
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSI87B1.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, ICSharpCode.SharpZipLib.dll.1.dr, Newtonsoft.Json.dll.4.dr, AteraAgent.exe.1.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.13.dr, Pubnub.dll.1.dr, BouncyCastle.Crypto.dll.1.dr, System.ValueTuple.dll.1.dr, Newtonsoft.Json.dll.13.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, AgentPackageAgentInformation.exe.13.dr, Newtonsoft.Json.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSI87B1.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: C56C4404C4DEF0DC88E5FCD9F09CB2F10.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
Source: AteraAgent.exe, 0000000C.00000002.1806651038.000002B03A5E3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804345950.000002B021AB9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4119372765.000001635E2B0000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, ICSharpCode.SharpZipLib.dll.1.dr, AteraAgent.exe.1.dr, Atera.AgentPackage.Common.dll.13.dr, Pubnub.dll.1.dr, BouncyCastle.Crypto.dll.1.dr, System.ValueTuple.dll.1.dr, Newtonsoft.Json.dll.13.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, AgentPackageAgentInformation.exe.13.dr, Newtonsoft.Json.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, ICSharpCode.SharpZipLib.dll.1.dr, Newtonsoft.Json.dll.4.dr, AteraAgent.exe.1.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.13.dr, Pubnub.dll.1.dr, BouncyCastle.Crypto.dll.1.dr, System.ValueTuple.dll.1.dr, Newtonsoft.Json.dll.13.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, AgentPackageAgentInformation.exe.13.dr, Newtonsoft.Json.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: AteraAgent.exe, 0000000D.00000002.4119372765.000001635E2E5000.00000004.00000020.00020000.00000000.sdmp, F2E248BEDDBB2D85122423C41028BFD40.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4120518089.000001635E6AD000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4120518089.000001635E6FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2114768410.00000249983EB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2117522900.0000025EBFD93000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2117782628.0000025EBFE18000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, ICSharpCode.SharpZipLib.dll.1.dr, Newtonsoft.Json.dll.4.dr, AteraAgent.exe.1.dr, Newtonsoft.Json.dll.5.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.13.dr, Atera.AgentPackage.Common.dll.13.dr, Pubnub.dll.1.dr, BouncyCastle.Crypto.dll.1.dr, System.ValueTuple.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSI87B1.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: AteraAgent.exe, 0000000D.00000002.4119372765.000001635E33B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/ind.
Source: AgentPackageAgentInformation.exe, 00000015.00000002.2117782628.0000025EBFE2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: AgentPackageAgentInformation.exe, 00000015.00000002.2117522900.0000025EBFDEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A285000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, ICSharpCode.SharpZipLib.dll.1.dr, Newtonsoft.Json.dll.4.dr, AteraAgent.exe.1.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.13.dr, Pubnub.dll.1.dr, BouncyCastle.Crypto.dll.1.dr, System.ValueTuple.dll.1.dr, Newtonsoft.Json.dll.13.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, AgentPackageAgentInformation.exe.13.dr, Newtonsoft.Json.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSI87B1.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSI87B1.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: AteraAgent.exe, 0000000C.00000002.1803756057.000002B02006E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1806651038.000002B03A5CF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A29A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: AteraAgent.exe, 0000000C.00000002.1806651038.000002B03A5CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl&
Source: AteraAgent.exe, 0000000C.00000002.1806651038.000002B03A5E3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804345950.000002B021AB9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, ICSharpCode.SharpZipLib.dll.1.dr, AteraAgent.exe.1.dr, Atera.AgentPackage.Common.dll.13.dr, Pubnub.dll.1.dr, BouncyCastle.Crypto.dll.1.dr, System.ValueTuple.dll.1.dr, Newtonsoft.Json.dll.13.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, AgentPackageAgentInformation.exe.13.dr, Newtonsoft.Json.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, ICSharpCode.SharpZipLib.dll.1.dr, Newtonsoft.Json.dll.4.dr, AteraAgent.exe.1.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.13.dr, Pubnub.dll.1.dr, BouncyCastle.Crypto.dll.1.dr, System.ValueTuple.dll.1.dr, Newtonsoft.Json.dll.13.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, AgentPackageAgentInformation.exe.13.dr, Newtonsoft.Json.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A226000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A29A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: Newtonsoft.Json.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl9N4
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlL
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlrtG
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSI87B1.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/lS
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSI87B1.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A29A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlrlCache
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A29A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedRootG4.crllorer
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A285000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSI87B1.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AteraAgent.exe, 0000000C.00000002.1806651038.000002B03A5CF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A29A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl&
Source: AteraAgent.exe, 0000000C.00000002.1806651038.000002B03A5E3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804345950.000002B021AB9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, ICSharpCode.SharpZipLib.dll.1.dr, AteraAgent.exe.1.dr, Atera.AgentPackage.Common.dll.13.dr, Pubnub.dll.1.dr, BouncyCastle.Crypto.dll.1.dr, System.ValueTuple.dll.1.dr, Newtonsoft.Json.dll.13.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, AgentPackageAgentInformation.exe.13.dr, Newtonsoft.Json.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A29A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl9.
Source: AteraAgent.exe, 0000000C.00000002.1806651038.000002B03A5CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlR_8
Source: AteraAgent.exe, 0000000C.00000002.1803756057.000002B02006E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlW.
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSI87B1.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSI87B1.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A29A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlH$
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp, 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.12.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: AgentPackageAgentInformation.exe, 00000014.00000000.2076737849.00000249FF0A2000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.13.dr	String found in binary or memory: http://dl.google.com/googletalk/googletalk-setup.exe
Source: Newtonsoft.Json.dll.1.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A285000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/.
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A240000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4119372765.000001635E2E5000.00000004.00000020.00020000.00000000.sdmp, 8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A9440.13.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
Source: 698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB0.12.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxL
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A240000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4112182700.00000163451FB000.00000004.00000020.00020000.00000000.sdmp, C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F1410.13.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/l
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/mY
Source: AteraAgent.exe, 0000000C.00000002.1806651038.000002B03A5E3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804345950.000002B021AB9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4119372765.000001635E2B0000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, ICSharpCode.SharpZipLib.dll.1.dr, AteraAgent.exe.1.dr, Atera.AgentPackage.Common.dll.13.dr, Pubnub.dll.1.dr, BouncyCastle.Crypto.dll.1.dr, System.ValueTuple.dll.1.dr, Newtonsoft.Json.dll.13.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, AgentPackageAgentInformation.exe.13.dr, Newtonsoft.Json.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4120518089.000001635E6AD000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4120518089.000001635E6FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2114768410.00000249983EB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2117522900.0000025EBFD93000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2117782628.0000025EBFE18000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, ICSharpCode.SharpZipLib.dll.1.dr, Newtonsoft.Json.dll.4.dr, AteraAgent.exe.1.dr, Newtonsoft.Json.dll.5.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.13.dr, Atera.AgentPackage.Common.dll.13.dr, Pubnub.dll.1.dr, BouncyCastle.Crypto.dll.1.dr, System.ValueTuple.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Newtonsoft.Json.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Newtonsoft.Json.dll.16.dr, ICSharpCode.SharpZipLib.dll.1.dr, MSI87B1.tmp.1.dr, Newtonsoft.Json.dll.4.dr, AteraAgent.exe.1.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.13.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, Pubnub.dll.1.dr, BouncyCastle.Crypto.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSI87B1.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSI87B1.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Newtonsoft.Json.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Newtonsoft.Json.dll.16.dr, MSI87B1.tmp.1.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, ICSharpCode.SharpZipLib.dll.1.dr, Newtonsoft.Json.dll.4.dr, AteraAgent.exe.1.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.13.dr, Pubnub.dll.1.dr, BouncyCastle.Crypto.dll.1.dr, System.ValueTuple.dll.1.dr, Newtonsoft.Json.dll.13.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, AgentPackageAgentInformation.exe.13.dr, Newtonsoft.Json.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7Nfjgt
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crlO
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345E65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ps.pndsn.com
Source: AteraAgent.exe, 0000000C.00000002.1804345950.000002B021AB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org
Source: AteraAgent.exe, 0000000C.00000002.1804345950.000002B021AB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: AteraAgent.exe, 0000000C.00000002.1804345950.000002B021AB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
Source: rundll32.exe, 00000004.00000002.1728881275.0000000005071000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1728881275.0000000005114000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163458F1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1869070441.00000000050E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1869070441.0000000005187000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2114097425.0000024980083000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2115443883.0000025EA76BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSI87B1.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://wixtoolset.org
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000490A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000490A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000490A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://wixtoolset.org/releases/
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1806651038.000002B03A5E3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804345950.000002B021AB9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, ICSharpCode.SharpZipLib.dll.1.dr, Newtonsoft.Json.dll.4.dr, AteraAgent.exe.1.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.13.dr, Pubnub.dll.1.dr, BouncyCastle.Crypto.dll.1.dr, System.ValueTuple.dll.1.dr, Newtonsoft.Json.dll.13.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: AteraAgent.exe, 0000000C.00000002.1804345950.000002B021AB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: AteraAgent.exe, 0000000C.00000002.1804345950.000002B021AB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.oh
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345EF7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345EE1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.000001634629E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345EF3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345E55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.P
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345EF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.P(
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345EDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.PR
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345EDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.Pj
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345EE3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.Pjv
Source: rundll32.exe, 00000004.00000002.1728881275.0000000005114000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1869070441.0000000005187000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.aterD
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1728881275.0000000005071000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1728881275.0000000005114000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000490A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345D93000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345CDD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345E55000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AB1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1869070441.00000000050E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1869070441.0000000005187000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2114097425.0000024980083000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2115443883.0000025EA76BF000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.16.dr, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.3.dr, AlphaControlAgentInstallation.dll.4.dr	String found in binary or memory: https://agent-api.atera.com
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1728881275.0000000005071000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1728881275.0000000005114000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000490A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1869070441.00000000050E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1869070441.0000000005187000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.16.dr, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.3.dr, AlphaControlAgentInstallation.dll.4.dr	String found in binary or memory: https://agent-api.atera.com/
Source: AgentPackageAgentInformation.exe, 00000014.00000002.2114097425.0000024980083000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2115443883.0000025EA76BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1728881275.0000000005071000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1728881275.0000000005114000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000490A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1869070441.00000000050E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1869070441.0000000005187000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.16.dr, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.3.dr, AlphaControlAgentInstallation.dll.4.dr	String found in binary or memory: https://agent-api.atera.com/Production/Agent/
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345D93000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.000001634629E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/Age
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345C5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting)
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStartingB
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStartingX7.
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStartingp
Source: AgentPackageAgentInformation.exe, 00000014.00000002.2114097425.0000024980083000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2115443883.0000025EA76BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResult
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345CD3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345E51000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345C5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345ADB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback0
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback2/
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsp
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345E55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurrin
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345C5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesibe
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesnection
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesnterval
Source: rundll32.exe, 00000004.00000002.1728881275.0000000005071000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1728881275.0000000005114000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1869070441.00000000050E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1869070441.0000000005187000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event
Source: rundll32.exe, 00000004.00000002.1728881275.0000000005156000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1869070441.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event;
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4120053577.000001635E472000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2116400747.00000249FFB48000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.13.dr, Newtonsoft.Json.dll.1.dr	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: System.ValueTuple.dll.1.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
Source: System.ValueTuple.dll.1.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
Source: AteraAgent.exe, 0000000D.00000002.4122014011.000001635E9B2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.1.dr	String found in binary or memory: https://github.com/icsharpcode/SharpZipLib
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345A30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com
Source: AteraAgent.exe, 0000000D.00000002.4114698045.00000163459BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAgentI
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345952000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B0A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AAD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.7/A
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.7/Agent.Pac
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345952000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459BB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.00000163459BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscovery
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345952000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459B7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345A90000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345A74000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459BB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AAD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345A7C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageWindowsUpdate/24.6/A
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345952000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B0A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459BB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AAD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.z
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345952000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B0A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459BB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AAD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.00000163459BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformati
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscove
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalle
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345952000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459B7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345A90000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345A74000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459BB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AAD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345A7C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPa
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345952000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B0A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459BB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AAD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345952000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B0A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459BB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AAD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.00000163459BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformation
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageNetworkDiscovery/15.0/AgentPackageNetworkDiscovery
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTaskSchedul
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTaskScheduler/13.1/AgentPackageTaskScheduler.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageWindowsUpdate/18.3/AgentPackageWindowsUpdate.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345E65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345976000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345E65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345976000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0180680e-e6cb-400e-83d6-3808eb668088
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=377417ee-b208-4922-a278-778329313858
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=811d9700-d678-4b14-9442-20877f787d98
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ba6a13f1-ebc9-4a1b-b6ac-2f0177a0d113
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=bc48e4ab-59d5-4385-9ebb-6bdf934e8e43
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345E65000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cf670f90-2c48-42f2-8c3d-1518a12474cf
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=d1a4fa35-d7fa-4da0-99b6-08c62f57c171
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=e1b9fd91-c306-4290-9b3f-369d7c5c009e
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=f452f05c-24ab-44c2-90a0-e6c8fdaa9194
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=f8b53c58-e2e7-4a77-a6fb-ccd81bb3df54
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ffe6d5cf-fafd-40b4-8a1e-0da4f848d80d
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AB1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSI87B1.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr	String found in binary or memory: https://www.newtonsoft.com/json
Source: Newtonsoft.Json.dll.1.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4120053577.000001635E472000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2116400747.00000249FFB4A000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.13.dr, Newtonsoft.Json.dll.1.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50219
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50210
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50179
Source: unknown	Network traffic detected: HTTP traffic on port 50202 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50182
Source: unknown	Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 50219 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50227
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50228
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50186
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50185
Source: unknown	Network traffic detected: HTTP traffic on port 50186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50222
Source: unknown	Network traffic detected: HTTP traffic on port 50222 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50134 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 50197 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50227 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 50172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50197
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50129
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50142 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50089
Source: unknown	Network traffic detected: HTTP traffic on port 50150 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50207 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 50153 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 50210 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50098
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50134
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50137
Source: unknown	Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50158 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50129 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 50169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50142
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50146
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown	Network traffic detected: HTTP traffic on port 50098 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50150
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50153
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50158
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50179 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50137 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50161
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 50089 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 50228 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50207
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 50146 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50166
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50202
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.158.75.4:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49869 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49887 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49889 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49894 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49915 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49922 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49931 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49946 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49952 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49979 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49976 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49977 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49978 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50010 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50026 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50044 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50060 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50089 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50098 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50114 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50129 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50134 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50137 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50142 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50146 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50150 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50153 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50158 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50166 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50172 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50175 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50176 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50179 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50182 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50185 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50186 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50197 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50202 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50207 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50210 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50219 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50222 version: TLS 1.2

Drops certificate files (DER)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security

Reads the System eventlog

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

Abnormal high CPU Usage

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Process Stats: CPU usage > 49%

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4c685d.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6995.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6BB9.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI82CC.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8742.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8753.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI87B1.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI88BC.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4c685f.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4c685f.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA1A4.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6995.tmp-	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6995.tmp-\AlphaControlAgentInstallation.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6995.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6995.tmp-\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6995.tmp-\System.Management.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6995.tmp-\CustomAction.config	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6BB9.tmp-	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6BB9.tmp-\AlphaControlAgentInstallation.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6BB9.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6BB9.tmp-\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6BB9.tmp-\System.Management.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6BB9.tmp-\CustomAction.config	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI82CC.tmp-	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI82CC.tmp-\AlphaControlAgentInstallation.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI82CC.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI82CC.tmp-\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI82CC.tmp-\System.Management.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI82CC.tmp-\CustomAction.config	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\InstallUtil.InstallLog	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIA1A4.tmp-
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIA1A4.tmp-\AlphaControlAgentInstallation.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIA1A4.tmp-\Microsoft.Deployment.WindowsInstaller.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIA1A4.tmp-\Newtonsoft.Json.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIA1A4.tmp-\System.Management.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIA1A4.tmp-\CustomAction.config
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI6995.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_3_075175C8	4_3_075175C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_3_07510040	4_3_07510040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_04BD50B8	5_3_04BD50B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_04BD59A8	5_3_04BD59A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_04BD4D68	5_3_04BD4D68
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 12_2_00007FFD9B400C54	12_2_00007FFD9B400C54
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 12_2_00007FFD9B40C9A1	12_2_00007FFD9B40C9A1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 12_2_00007FFD9B40BBF1	12_2_00007FFD9B40BBF1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 12_2_00007FFD9B400C84	12_2_00007FFD9B400C84
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B411BEE	13_2_00007FFD9B411BEE
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B413870	13_2_00007FFD9B413870
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B40C910	13_2_00007FFD9B40C910
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B401CE0	13_2_00007FFD9B401CE0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B3F9AF2	13_2_00007FFD9B3F9AF2
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B40900E	13_2_00007FFD9B40900E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B40CF58	13_2_00007FFD9B40CF58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B60FC31	13_2_00007FFD9B60FC31
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B3F0C7D	13_2_00007FFD9B3F0C7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_3_07570040	16_3_07570040
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 20_2_00007FFD9B3FFA94	20_2_00007FFD9B3FFA94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 20_2_00007FFD9B3F78D6	20_2_00007FFD9B3F78D6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 20_2_00007FFD9B40100A	20_2_00007FFD9B40100A
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 20_2_00007FFD9B3F8682	20_2_00007FFD9B3F8682
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 20_2_00007FFD9B41047D	20_2_00007FFD9B41047D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 20_2_00007FFD9B3F73D9	20_2_00007FFD9B3F73D9
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 20_2_00007FFD9B3F12FB	20_2_00007FFD9B3F12FB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 20_2_00007FFD9B4010C0	20_2_00007FFD9B4010C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 20_2_00007FFD9B3FBDB0	20_2_00007FFD9B3FBDB0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 21_2_00007FFD9B40FA94	21_2_00007FFD9B40FA94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 21_2_00007FFD9B4078D6	21_2_00007FFD9B4078D6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 21_2_00007FFD9B41100A	21_2_00007FFD9B41100A
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 21_2_00007FFD9B408682	21_2_00007FFD9B408682
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 21_2_00007FFD9B42047D	21_2_00007FFD9B42047D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 21_2_00007FFD9B4012FA	21_2_00007FFD9B4012FA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 21_2_00007FFD9B4110C0	21_2_00007FFD9B4110C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 21_2_00007FFD9B40BD10	21_2_00007FFD9B40BD10

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2

Sample file is different than original file name gathered from version info

Source: 5c13e6.msi	Binary or memory string: OriginalFilenameAlphaControlAgentInstallation.dll\ vs 5c13e6.msi
Source: 5c13e6.msi	Binary or memory string: OriginalFilenameSfxCA.dll\ vs 5c13e6.msi
Source: 5c13e6.msi	Binary or memory string: OriginalFilenamewixca.dll\ vs 5c13e6.msi

Source: ICSharpCode.SharpZipLib.dll.1.dr, InflaterInputBuffer.cs	Cryptographic APIs: 'TransformBlock'
Source: ICSharpCode.SharpZipLib.dll.1.dr, DeflaterOutputStream.cs	Cryptographic APIs: 'TransformBlock'
Source: ICSharpCode.SharpZipLib.dll.1.dr, ZipAESTransform.cs	Cryptographic APIs: 'TransformBlock'

Source: AteraAgent.exe.1.dr, SignatureValidator.cs

Base64 encoded string: 'MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0YmxeR/2wifvwd/MQXb/5tsLsvlMs50tmraklX8MKsU1EgEpRZ+W0Ro1ZHoLhQG53oq9hPz9bmJge78yZr6l1QJWz6wCj+yQUxM5f0gt4fHEf2yA94Tklnds7JPr2vQRb5rjAnxnt7722oWFc1bxFFsIcIhOI/EHYCE0qSPE1pKMXALkHZYoDQEFUu3YgEc0Oo7ClJNFrB75g6tVZRqGKxVvYQBb9zKDxhBRnDkhZuB7D1gRaR9PNwCr7tVtPt40c+CCf5ktUkeu4JzaiEipWvKYgRvotqsFtZF5uFso2UmdvxO+lIw9i/GPDfgS4JhKu/Y9lCuaan+xEluhSK0vpQIDAQAB'

Source: classification engine

Classification label: mal88.troj.spyw.evad.winMSI@34/79@34/3

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\ATERA Networks

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Mutant created: NULL
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7936:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7864:120:WilError_03
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1308:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF6D201690A06C6388.TMP

Jump to behavior

Source: C:\Windows\SysWOW64\net1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AteraAgent.exe")
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

File read: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI6995.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5007890 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId

Source: 5c13e6.msi

Static file information: TRID: Microsoft Windows Installer (60509/1) 57.88%

Source: 5c13e6.msi

ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\5c13e6.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6035F6485629B3656802BDCB68379B97
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI6995.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5007890 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI6BB9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5008359 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI82CC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5014250 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8C2A075FB1C9BFF9A65B59CB5274A31B E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="matteobianchini1965@autograf.pl" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000NxmUvIAJ" /AgentId="ff94aff6-2883-4c67-9794-e0ddc81d610f"
Source: unknown	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIA1A4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5022156 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ff94aff6-2883-4c67-9794-e0ddc81d610f "87885c4b-c98b-4114-8df6-f508dfdcbf5a" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000NxmUvIAJ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ff94aff6-2883-4c67-9794-e0ddc81d610f "81e73b14-e55c-40af-aa45-a29326f84cb3" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000NxmUvIAJ
Source: C:\Windows\SysWOW64\net1.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6035F6485629B3656802BDCB68379B97	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8C2A075FB1C9BFF9A65B59CB5274A31B E Global\MSI0000	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="matteobianchini1965@autograf.pl" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000NxmUvIAJ" /AgentId="ff94aff6-2883-4c67-9794-e0ddc81d610f"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI6995.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5007890 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI6BB9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5008359 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI82CC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5014250 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIA1A4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5022156 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ff94aff6-2883-4c67-9794-e0ddc81d610f "87885c4b-c98b-4114-8df6-f508dfdcbf5a" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000NxmUvIAJ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ff94aff6-2883-4c67-9794-e0ddc81d610f "81e73b14-e55c-40af-aa45-a29326f84cb3" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000NxmUvIAJ

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptnet.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: webio.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: gpapi.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

File written: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: 5c13e6.msi

Static file information: File size 2994176 > 1048576

Source:	Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 00000014.00000000.2076737849.00000249FF0A2000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.13.dr
Source:	Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000003.00000003.1668037110.00000000047B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000490A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.16.dr, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.3.dr, AlphaControlAgentInstallation.dll.4.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AgentPackageAgentInformation.exe, 00000014.00000002.2116400747.00000249FFB4A000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.13.dr
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000C.00000000.1750493961.000002B01FEA2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.1.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4120053577.000001635E472000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2116400747.00000249FFB4A000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.13.dr, Newtonsoft.Json.dll.1.dr
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000015.00000002.2115276194.0000025EA7532000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.13.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: System.ValueTuple.dll.1.dr
Source:	Binary string: t.pdb source: AteraAgent.exe, 0000000D.00000002.4119372765.000001635E33B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: 5c13e6.msi, MSI8753.tmp.1.dr, MSI87B1.tmp.1.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000003.00000003.1668037110.00000000047B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000490A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000015.00000002.2115276194.0000025EA7532000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.13.dr
Source:	Binary string: BouncyCastle.Crypto.pdbSHA256 source: BouncyCastle.Crypto.dll.1.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000003.00000003.1668037110.00000000047B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000490A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr
Source:	Binary string: mscorlib.pdb source: AteraAgent.exe, 0000000D.00000002.4120518089.000001635E6FF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000C.00000000.1750493961.000002B01FEA2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.1.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: System.ValueTuple.dll.1.dr
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000C.00000002.1805925767.000002B03A3F2000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.1.dr
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000C.00000002.1805925767.000002B03A3F2000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.1.dr
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: 5c13e6.msi, MSI6BB9.tmp.1.dr, MSI82CC.tmp.1.dr, MSI6995.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, MSIA1A4.tmp.1.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000D.00000002.4122014011.000001635E9B2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.1.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000D.00000002.4122014011.000001635E9B2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.1.dr
Source:	Binary string: BouncyCastle.Crypto.pdb source: BouncyCastle.Crypto.dll.1.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4120053577.000001635E472000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.1.dr
Source:	Binary string: m.pdb source: AteraAgent.exe, 0000000D.00000002.4119372765.000001635E33B000.00000004.00000020.00020000.00000000.sdmp

Binary contains a suspicious time stamp

Source: BouncyCastle.Crypto.dll.1.dr

Static PE information: 0xE49A52B3 [Sun Jul 15 06:22:43 2091 UTC]

PE file contains an invalid checksum

Source: MSI6995.tmp.1.dr	Static PE information: real checksum: 0x32353 should be: 0x88610
Source: AlphaControlAgentInstallation.dll.3.dr	Static PE information: real checksum: 0x0 should be: 0xe266
Source: MSI6BB9.tmp.1.dr	Static PE information: real checksum: 0x32353 should be: 0x88610
Source: MSIA1A4.tmp.1.dr	Static PE information: real checksum: 0x32353 should be: 0x88610
Source: MSI82CC.tmp.1.dr	Static PE information: real checksum: 0x32353 should be: 0x88610

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_3_0742B235 push ds; ret	4_3_0742B243
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_3_07514ECF push dword ptr [esp+ecx*2-75h]; ret	4_3_07514ED3
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B410AD8 pushad ; ret	13_2_00007FFD9B410AE1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B40CE75 push ebx; retf 0003h	13_2_00007FFD9B40CE8A
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B605930 push esp; retn 5F2Ch	13_2_00007FFD9B6062D9
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B606414 push eax; ret	13_2_00007FFD9B606444
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B601EFC push eax; ret	13_2_00007FFD9B601F14
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B6009B1 push eax; ret	13_2_00007FFD9B6009D4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B6011E1 push eax; ret	13_2_00007FFD9B601204
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_3_0748B235 push ds; ret	16_3_0748B243
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_3_07574ECF push dword ptr [esp+ecx*2-75h]; ret	16_3_07574ED3
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 20_2_00007FFD9B3F00BD pushad ; iretd	20_2_00007FFD9B3F00C1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 21_2_00007FFD9B4000BD pushad ; iretd	21_2_00007FFD9B4000C1

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

Drops PE files

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIA1A4.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6995.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI82CC.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6BB9.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI82CC.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA1A4.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI82CC.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIA1A4.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI82CC.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6BB9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6995.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6995.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIA1A4.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI82CC.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6995.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8753.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6BB9.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6BB9.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6BB9.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIA1A4.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6995.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI87B1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI88BC.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIA1A4.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6995.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI82CC.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6BB9.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI82CC.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA1A4.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI82CC.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIA1A4.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI82CC.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6BB9.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6BB9.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6BB9.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6BB9.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIA1A4.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6995.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6995.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI87B1.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6995.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIA1A4.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI88BC.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI82CC.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6995.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8753.tmp	Jump to dropped file

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\InstallUtil.InstallLog			Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog			Jump to behavior

Creates or modifies windows services

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Jump to behavior

Uses net.exe to stop services

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Stores large binary data to the registry

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Key value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\net1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 2B0219C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 2B0399F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 16345420000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 1635D8F0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 249FF400000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 249FFBF0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 25EA6F40000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 25EBF600000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Window / User API: threadDelayed 5488
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Window / User API: threadDelayed 4169

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA1A4.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6995.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6BB9.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI82CC.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI82CC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA1A4.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI82CC.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA1A4.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI82CC.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6BB9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6995.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6995.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA1A4.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI82CC.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI8753.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6995.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6BB9.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6BB9.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6BB9.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA1A4.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6995.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI87B1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI88BC.tmp	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\rundll32.exe TID: 7692	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8068	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8024	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7208	Thread sleep count: 5488 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7208	Thread sleep count: 4169 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7184	Thread sleep count: 33 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7184	Thread sleep time: -30437127721620741s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7184	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7484	Thread sleep time: -120000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2504	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7400	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1104	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 8064	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7952	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 8012	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7944	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\net1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\net1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 30000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 90000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477

Source: AgentPackageAgentInformation.exe.13.dr	Binary or memory string: VIRUSfighterAVMware Carbon Black Cloud Sensor7VMware Carbon Black Defense/VMware Carbon Black EDR9VMware Carbon Black Response
Source: AteraAgent.exe, 0000000D.00000002.4120518089.000001635E6AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWts.digicert.comDigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crtB\
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A29A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A29A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A240000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4119372765.000001635E33B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4120518089.000001635E670000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000010.00000002.1867907620.000000000355A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1866461004.0000000003558000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
Source: rundll32.exe, 00000004.00000002.1728174926.00000000032F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh
Source: AgentPackageAgentInformation.exe, 00000014.00000002.2114768410.0000024998365000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2117522900.0000025EBFDC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="matteobianchini1965@autograf.pl" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000NxmUvIAJ" /AgentId="ff94aff6-2883-4c67-9794-e0ddc81d610f"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ff94aff6-2883-4c67-9794-e0ddc81d610f "87885c4b-c98b-4114-8df6-f508dfdcbf5a" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000NxmUvIAJ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ff94aff6-2883-4c67-9794-e0ddc81d610f "81e73b14-e55c-40af-aa45-a29326f84cb3" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000NxmUvIAJ

Uses taskkill to terminate processes

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe

Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="matteobianchini1965@autograf.pl" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000nxmuviaj" /agentid="ff94aff6-2883-4c67-9794-e0ddc81d610f"
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ff94aff6-2883-4c67-9794-e0ddc81d610f "87885c4b-c98b-4114-8df6-f508dfdcbf5a" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000nxmuviaj
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ff94aff6-2883-4c67-9794-e0ddc81d610f "81e73b14-e55c-40af-aa45-a29326f84cb3" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000nxmuviaj
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="matteobianchini1965@autograf.pl" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000nxmuviaj" /agentid="ff94aff6-2883-4c67-9794-e0ddc81d610f"	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ff94aff6-2883-4c67-9794-e0ddc81d610f "87885c4b-c98b-4114-8df6-f508dfdcbf5a" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000nxmuviaj
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ff94aff6-2883-4c67-9794-e0ddc81d610f "81e73b14-e55c-40af-aa45-a29326f84cb3" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000nxmuviaj

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI6995.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI6995.tmp-\AlphaControlAgentInstallation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI6BB9.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI6BB9.tmp-\AlphaControlAgentInstallation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI6BB9.tmp-\Newtonsoft.Json.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI82CC.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI82CC.tmp-\AlphaControlAgentInstallation.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIA1A4.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIA1A4.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIA1A4.tmp-\Newtonsoft.Json.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Adds / modifies Windows certificates

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

Remote Access Functionality

Yara detected AteraAgent

Source: Yara match	File source: 21.2.AgentPackageAgentInformation.exe.25ea7530000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AteraAgent.exe.2b01fea0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.AgentPackageAgentInformation.exe.249ff0a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.4112182700.00000163451AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2114097425.0000024980073000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1804345950.000002B021AA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1668037110.00000000047B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1804345950.000002B021B22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2114464678.0000025EA6E78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2114464678.0000025EA6E35000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4114698045.000001634595D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4111980310.00000163450A0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1803530463.000002B01FF70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.1750493961.000002B01FEA2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4120518089.000001635E6AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2115566795.00000249FF2CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4112182700.00000163451FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.2076737849.00000249FF0A2000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1804345950.000002B021A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1806480577.000002B03A590000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2114464678.0000025EA6E0B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1803756057.000002B020020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1803756057.000002B020040000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1803756057.000002B020026000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1804345950.000002B021B56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1804345950.000002B021B6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1674855379.0000000004E59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1728881275.0000000005114000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2115443883.0000025EA7673000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2114464678.0000025EA6E2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2114402419.0000025EA6DF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2115038756.0000025EA6F90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2115522472.00000249FF2A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1807832870.00007FFD9B494000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4120518089.000001635E68B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1869070441.00000000050E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4108029659.0000005DF3B15000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1869070441.0000000005187000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1806651038.000002B03A5B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1803756057.000002B02006E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2115566795.00000249FF300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1728881275.0000000005071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2115566795.00000249FF2C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1806651038.000002B03A5E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2115443883.0000025EA7647000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2114402419.0000025EA6DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4114554008.00000163454B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2115443883.0000025EA7601000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1804345950.000002B021A7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1803756057.000002B01FFE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4112182700.00000163451CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2115276194.0000025EA7532000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1804345950.000002B021AA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1731830189.000000000490A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2117484023.0000025EBFD89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1804345950.000002B021AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4120518089.000001635E670000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2115443883.0000025EA7683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2115566795.00000249FF34C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1810478471.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2115566795.00000249FF307000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1804345950.000002B021AAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4114698045.0000016345EBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1803756057.000002B01FFE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4112182700.0000016345170000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2115443883.0000025EA76BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2114097425.0000024980083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2114097425.0000024980001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1804345950.000002B0219F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4114698045.00000163458F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7640, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AteraAgent.exe PID: 7992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AteraAgent.exe PID: 8176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3152, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7880, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\Temp\~DF1C46BEF5561279DD.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFCC791DA1EF222C85.TMP, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, type: DROPPED
Source: Yara match	File source: C:\Config.Msi\4c685e.rbs, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF6331E09D6B6BFB1B.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSIA1A4.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI82CC.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFBFB6DF824FA39372.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI6995.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF0301261F3F564947.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
Source: Yara match	File source: C:\Windows\System32\InstallUtil.InstallLog, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF6D201690A06C6388.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI8742.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI6BB9.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
108.158.75.4	d25btwd9wax8gu.cloudfront.net	United States	16509	AMAZON-02US	false
13.232.67.198	ps.pndsn.com	United States	16509	AMAZON-02US	false
13.232.67.199	unknown	United States	16509	AMAZON-02US	false

Contacted Domains

Name	IP	Active
ps.pndsn.com	13.232.67.198	true
bg.microsoft.map.fastly.net	199.232.214.172	true
d25btwd9wax8gu.cloudfront.net	108.158.75.4	true
fp2e7a.wpc.phicdn.net	192.229.221.95	true
ps.atera.com	unknown	unknown
agent-api.atera.com	unknown	unknown

Contacted URLs

Name	Malicious	Reputation
https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d8be8b67-b9dc-4bd8-9f60-1df842ebee06&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f	false	high
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c7e4c087-67a4-410d-b929-654d988ae41f&tr=31&tt=17327967212159752&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f	false	high
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=31245592-ca57-413a-838a-25566e4ba460&tr=31&tt=17327967212159752&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f	false	high
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cf670f90-2c48-42f2-8c3d-1518a12474cf&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f	false	high
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=bb8be473-c9e0-49d3-afb3-ff89cc2038f2&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f	false	high
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=363c6e5c-519b-49a4-bb28-3c290a721f04&tt=0&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f	false	high
https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a543e4d2-478c-4637-a32f-01e5c1d96820&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f	false	high
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=fe0f6a4a-994b-4250-bc9b-b5822a0b9625&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f	false	high
https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=6eac0c19-ed81-4142-86ce-d4bfe2f9e3ff&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f	false	high
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0180680e-e6cb-400e-83d6-3808eb668088&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f	false	high
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ba6a13f1-ebc9-4a1b-b6ac-2f0177a0d113&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f	false	high
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c1235ff2-1096-4bcd-b42c-92f552aac0b4&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f	false	high
https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=98770db9-b9c5-40a7-84a7-ea720f9b7aa0&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f	false	high
https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=78d5a8c0-6e60-43a1-8c43-b430a42d1135&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f	false	high
https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=5217d3d2-da87-42e8-9726-56daff914c54&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f	false	high
https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=cad12679-119f-4810-9e43-100014c76ca9&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f	false	high
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ac4fb316-6088-4f09-94da-3e83236acc31&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f	false	high
https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=914d5960-15b7-4468-88cf-9462e85c2124&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f	false	high
https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d4bd921a-933d-426f-b266-ff3906eda0dc&tt=0&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f	false	high
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=79b0f33b-8550-42a3-8fa1-b61745ab84d2&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f	false	high
https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=329cd285-2dd4-4cef-8f0f-afb56ab5caec&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f	false	high

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

ReversingLabs: Detection: 26%

Multi AV Scanner detection for submitted file

Source: 5c13e6.msi

ReversingLabs: Detection: 26%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 92.5% probability

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\InstallUtil.InstallLog			Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog			Jump to behavior

Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.158.75.4:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49869 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49887 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49889 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49894 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49915 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49922 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49931 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49946 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49952 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49979 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49976 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49977 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49978 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50010 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50026 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50044 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50060 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50089 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50098 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50114 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50129 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50134 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50137 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50142 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50146 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50150 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50153 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50158 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50166 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50172 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50175 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50176 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50179 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50182 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50185 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50186 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50197 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50202 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50207 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50210 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50219 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50222 version: TLS 1.2

Source:	Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 00000014.00000000.2076737849.00000249FF0A2000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.13.dr
Source:	Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000003.00000003.1668037110.00000000047B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000490A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.16.dr, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.3.dr, AlphaControlAgentInstallation.dll.4.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AgentPackageAgentInformation.exe, 00000014.00000002.2116400747.00000249FFB4A000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.13.dr
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000C.00000000.1750493961.000002B01FEA2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.1.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4120053577.000001635E472000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2116400747.00000249FFB4A000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.13.dr, Newtonsoft.Json.dll.1.dr
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000015.00000002.2115276194.0000025EA7532000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.13.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: System.ValueTuple.dll.1.dr
Source:	Binary string: t.pdb source: AteraAgent.exe, 0000000D.00000002.4119372765.000001635E33B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: 5c13e6.msi, MSI8753.tmp.1.dr, MSI87B1.tmp.1.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000003.00000003.1668037110.00000000047B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000490A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000015.00000002.2115276194.0000025EA7532000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.13.dr
Source:	Binary string: BouncyCastle.Crypto.pdbSHA256 source: BouncyCastle.Crypto.dll.1.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000003.00000003.1668037110.00000000047B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000490A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr
Source:	Binary string: mscorlib.pdb source: AteraAgent.exe, 0000000D.00000002.4120518089.000001635E6FF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000C.00000000.1750493961.000002B01FEA2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.1.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: System.ValueTuple.dll.1.dr
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000C.00000002.1805925767.000002B03A3F2000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.1.dr
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000C.00000002.1805925767.000002B03A3F2000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.1.dr
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: 5c13e6.msi, MSI6BB9.tmp.1.dr, MSI82CC.tmp.1.dr, MSI6995.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, MSIA1A4.tmp.1.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000D.00000002.4122014011.000001635E9B2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.1.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000D.00000002.4122014011.000001635E9B2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.1.dr
Source:	Binary string: BouncyCastle.Crypto.pdb source: BouncyCastle.Crypto.dll.1.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4120053577.000001635E472000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.1.dr
Source:	Binary string: m.pdb source: AteraAgent.exe, 0000000D.00000002.4119372765.000001635E33B000.00000004.00000020.00020000.00000000.sdmp

Checks for available system drives (often done to infect USB drives)

Source: C:\Windows\System32\msiexec.exe	File opened: z:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: x:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: v:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: t:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: r:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: p:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: n:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: l:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: j:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: h:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: f:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: b:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: y:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: w:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: u:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: s:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: q:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: o:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: m:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: k:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: i:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: g:	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File opened: e:	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File opened: c:
Source: C:\Windows\System32\msiexec.exe	File opened: a:	Jump to behavior

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFD9B401873h	12_2_00007FFD9B400C54
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFD9B40227Bh	12_2_00007FFD9B400C54
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFD9B401A44h	12_2_00007FFD9B40187E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFD9B401FFFh	12_2_00007FFD9B40187E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFD9B401FFFh	12_2_00007FFD9B401EB6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFD9B401FFFh	12_2_00007FFD9B401E88
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFD9B401FFFh	12_2_00007FFD9B401E7E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFD9B3F4ECBh	13_2_00007FFD9B3F4C41
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFD9B40B972h	13_2_00007FFD9B40B5E7
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFD9B40B972h	13_2_00007FFD9B40B620
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFD9B3F4ECBh	13_2_00007FFD9B3F4E45
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFD9B3F1873h	13_2_00007FFD9B3F0C7D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 4x nop then jmp 00007FFD9B3F227Bh	13_2_00007FFD9B3F0C7D

Networking

Yara detected Generic Downloader

Source: Yara match	File source: 20.0.AgentPackageAgentInformation.exe.249ff0a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0180680e-e6cb-400e-83d6-3808eb668088&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d4bd921a-933d-426f-b266-ff3906eda0dc&tt=0&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=fe0f6a4a-994b-4250-bc9b-b5822a0b9625&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=85b6ec95-85ff-48c0-b641-0635eec35d5a&tr=31&tt=17327967181942066&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c1235ff2-1096-4bcd-b42c-92f552aac0b4&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=31245592-ca57-413a-838a-25566e4ba460&tr=31&tt=17327967212159752&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?UyM4OKsXi02Wlo6WrMNEmiHtL2QX34SATWbzw9cq4uYc0GhCgNxtNi1ckT3zhZxu HTTP/1.1Host: ps.atera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=82932ee4-68f1-41e8-a024-0cd7c0b9453a&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0ac8d5be-9b13-42b0-ad4f-ffb3f59f5a96&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ac4fb316-6088-4f09-94da-3e83236acc31&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=4456492b-4d48-43aa-9701-ba768c2eafcf&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=329cd285-2dd4-4cef-8f0f-afb56ab5caec&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9d7c3066-85d2-4aca-befa-2fb669ffcf02&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=6eac0c19-ed81-4142-86ce-d4bfe2f9e3ff&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8b625c78-4452-4758-a3e8-31be98496c25&tt=0&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=bb8be473-c9e0-49d3-afb3-ff89cc2038f2&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=78d5a8c0-6e60-43a1-8c43-b430a42d1135&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=51b5a75b-eddb-4e11-99de-ac8ea9cd314a&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=cad12679-119f-4810-9e43-100014c76ca9&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=650d986d-f869-4f59-a614-09a3b5f2c7c9&tt=0&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=06a8ce5e-13a8-41de-a6cf-80410b04d784&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=35e6706e-2565-4810-9687-a6621cd90331&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=4d7f2f21-f9de-4400-92e4-bcfafd642b55&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a543e4d2-478c-4637-a32f-01e5c1d96820&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=5217d3d2-da87-42e8-9726-56daff914c54&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=363c6e5c-519b-49a4-bb28-3c290a721f04&tt=0&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=98770db9-b9c5-40a7-84a7-ea720f9b7aa0&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d8be8b67-b9dc-4bd8-9f60-1df842ebee06&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ba6a13f1-ebc9-4a1b-b6ac-2f0177a0d113&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=6034c0a1-69c3-4133-811f-0c50e51722c0&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=79b0f33b-8550-42a3-8fa1-b61745ab84d2&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c7e4c087-67a4-410d-b929-654d988ae41f&tr=31&tt=17327967212159752&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e8f28b6b-37cc-4f5c-8acf-ec9a0854bbaf&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=914d5960-15b7-4468-88cf-9462e85c2124&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cf670f90-2c48-42f2-8c3d-1518a12474cf&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 108.158.75.4 108.158.75.4
Source: Joe Sandbox View	IP Address: 13.232.67.198 13.232.67.198
Source: Joe Sandbox View	IP Address: 13.232.67.199 13.232.67.199

JA3 SSL client fingerprint seen in connection with other malware

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Suricata IDS alerts with low severity for network traffic

Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49755 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49750 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49781 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49821 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49922 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49894 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49847 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49952 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:50222 -> 13.232.67.199:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49979 -> 13.232.67.198:443
Source: Network traffic	Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49877 -> 13.232.67.198:443

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0180680e-e6cb-400e-83d6-3808eb668088&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d4bd921a-933d-426f-b266-ff3906eda0dc&tt=0&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=fe0f6a4a-994b-4250-bc9b-b5822a0b9625&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=85b6ec95-85ff-48c0-b641-0635eec35d5a&tr=31&tt=17327967181942066&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=c1235ff2-1096-4bcd-b42c-92f552aac0b4&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=31245592-ca57-413a-838a-25566e4ba460&tr=31&tt=17327967212159752&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation.zip?UyM4OKsXi02Wlo6WrMNEmiHtL2QX34SATWbzw9cq4uYc0GhCgNxtNi1ckT3zhZxu HTTP/1.1Host: ps.atera.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=82932ee4-68f1-41e8-a024-0cd7c0b9453a&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=0ac8d5be-9b13-42b0-ad4f-ffb3f59f5a96&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ac4fb316-6088-4f09-94da-3e83236acc31&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=4456492b-4d48-43aa-9701-ba768c2eafcf&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=329cd285-2dd4-4cef-8f0f-afb56ab5caec&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=9d7c3066-85d2-4aca-befa-2fb669ffcf02&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=6eac0c19-ed81-4142-86ce-d4bfe2f9e3ff&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=8b625c78-4452-4758-a3e8-31be98496c25&tt=0&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=bb8be473-c9e0-49d3-afb3-ff89cc2038f2&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=78d5a8c0-6e60-43a1-8c43-b430a42d1135&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=51b5a75b-eddb-4e11-99de-ac8ea9cd314a&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=cad12679-119f-4810-9e43-100014c76ca9&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=650d986d-f869-4f59-a614-09a3b5f2c7c9&tt=0&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=06a8ce5e-13a8-41de-a6cf-80410b04d784&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=35e6706e-2565-4810-9687-a6621cd90331&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=4d7f2f21-f9de-4400-92e4-bcfafd642b55&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=a543e4d2-478c-4637-a32f-01e5c1d96820&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=5217d3d2-da87-42e8-9726-56daff914c54&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=363c6e5c-519b-49a4-bb28-3c290a721f04&tt=0&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/leave?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=98770db9-b9c5-40a7-84a7-ea720f9b7aa0&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=d8be8b67-b9dc-4bd8-9f60-1df842ebee06&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ba6a13f1-ebc9-4a1b-b6ac-2f0177a0d113&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=6034c0a1-69c3-4133-811f-0c50e51722c0&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=79b0f33b-8550-42a3-8fa1-b61745ab84d2&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794-e0ddc81d610f/0?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=c7e4c087-67a4-410d-b929-654d988ae41f&tr=31&tt=17327967212159752&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=e8f28b6b-37cc-4f5c-8acf-ec9a0854bbaf&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6-2883-4c67-9794-e0ddc81d610f/heartbeat?heartbeat=93&pnsdk=NET45CSharp6.13.0.0&requestid=914d5960-15b7-4468-88cf-9462e85c2124&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Cache-Control: no-cachePragma: no-cacheContent-Type: application/jsonHost: ps.pndsn.com
Source: global traffic	HTTP traffic detected: GET /time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cf670f90-2c48-42f2-8c3d-1518a12474cf&uuid=ff94aff6-2883-4c67-9794-e0ddc81d610f HTTP/1.1Host: ps.pndsn.com

Source: global traffic	DNS traffic detected: DNS query: agent-api.atera.com
Source: global traffic	DNS traffic detected: DNS query: ps.pndsn.com
Source: global traffic	DNS traffic detected: DNS query: ps.atera.com

Source: AteraAgent.exe, 0000000C.00000000.1750493961.000002B01FEA2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163458F1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe.1.dr	String found in binary or memory: http://acontrol.atera.com/
Source: rundll32.exe, 00000004.00000002.1728881275.0000000005135000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345EF3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345EE5000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345EDD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345EFB000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1869070441.00000000051A5000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2114097425.000002498012F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2115443883.0000025EA772F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://agent-api.atera.com
Source: rundll32.exe, 00000004.00000002.1728881275.0000000005135000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345EF3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345EDD000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1869070441.00000000051A5000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2114097425.000002498012F000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2115443883.0000025EA772F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://atera-agent-api-eu.westeurope.cloudapp.azure.com
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSI87B1.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, ICSharpCode.SharpZipLib.dll.1.dr, Newtonsoft.Json.dll.4.dr, AteraAgent.exe.1.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.13.dr, Pubnub.dll.1.dr, BouncyCastle.Crypto.dll.1.dr, System.ValueTuple.dll.1.dr, Newtonsoft.Json.dll.13.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, AgentPackageAgentInformation.exe.13.dr, Newtonsoft.Json.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertCSRSA4096RootG5.crt0E
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSI87B1.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: C56C4404C4DEF0DC88E5FCD9F09CB2F10.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt
Source: AteraAgent.exe, 0000000C.00000002.1806651038.000002B03A5E3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804345950.000002B021AB9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4119372765.000001635E2B0000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, ICSharpCode.SharpZipLib.dll.1.dr, AteraAgent.exe.1.dr, Atera.AgentPackage.Common.dll.13.dr, Pubnub.dll.1.dr, BouncyCastle.Crypto.dll.1.dr, System.ValueTuple.dll.1.dr, Newtonsoft.Json.dll.13.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, AgentPackageAgentInformation.exe.13.dr, Newtonsoft.Json.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, ICSharpCode.SharpZipLib.dll.1.dr, Newtonsoft.Json.dll.4.dr, AteraAgent.exe.1.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.13.dr, Pubnub.dll.1.dr, BouncyCastle.Crypto.dll.1.dr, System.ValueTuple.dll.1.dr, Newtonsoft.Json.dll.13.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, AgentPackageAgentInformation.exe.13.dr, Newtonsoft.Json.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: AteraAgent.exe, 0000000D.00000002.4119372765.000001635E2E5000.00000004.00000020.00020000.00000000.sdmp, F2E248BEDDBB2D85122423C41028BFD40.13.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4120518089.000001635E6AD000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4120518089.000001635E6FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2114768410.00000249983EB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2117522900.0000025EBFD93000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2117782628.0000025EBFE18000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, ICSharpCode.SharpZipLib.dll.1.dr, Newtonsoft.Json.dll.4.dr, AteraAgent.exe.1.dr, Newtonsoft.Json.dll.5.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.13.dr, Atera.AgentPackage.Common.dll.13.dr, Pubnub.dll.1.dr, BouncyCastle.Crypto.dll.1.dr, System.ValueTuple.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSI87B1.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr	String found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA2.crt0
Source: AteraAgent.exe, 0000000D.00000002.4119372765.000001635E33B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/ind.
Source: AgentPackageAgentInformation.exe, 00000015.00000002.2117782628.0000025EBFE2D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: AgentPackageAgentInformation.exe, 00000015.00000002.2117522900.0000025EBFDEE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.v
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A285000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, ICSharpCode.SharpZipLib.dll.1.dr, Newtonsoft.Json.dll.4.dr, AteraAgent.exe.1.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.13.dr, Pubnub.dll.1.dr, BouncyCastle.Crypto.dll.1.dr, System.ValueTuple.dll.1.dr, Newtonsoft.Json.dll.13.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, AgentPackageAgentInformation.exe.13.dr, Newtonsoft.Json.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSI87B1.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertCSRSA4096RootG5.crl0
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSI87B1.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: AteraAgent.exe, 0000000C.00000002.1803756057.000002B02006E000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1806651038.000002B03A5CF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A29A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: AteraAgent.exe, 0000000C.00000002.1806651038.000002B03A5CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl&
Source: AteraAgent.exe, 0000000C.00000002.1806651038.000002B03A5E3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804345950.000002B021AB9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, ICSharpCode.SharpZipLib.dll.1.dr, AteraAgent.exe.1.dr, Atera.AgentPackage.Common.dll.13.dr, Pubnub.dll.1.dr, BouncyCastle.Crypto.dll.1.dr, System.ValueTuple.dll.1.dr, Newtonsoft.Json.dll.13.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, AgentPackageAgentInformation.exe.13.dr, Newtonsoft.Json.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, ICSharpCode.SharpZipLib.dll.1.dr, Newtonsoft.Json.dll.4.dr, AteraAgent.exe.1.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.13.dr, Pubnub.dll.1.dr, BouncyCastle.Crypto.dll.1.dr, System.ValueTuple.dll.1.dr, Newtonsoft.Json.dll.13.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, AgentPackageAgentInformation.exe.13.dr, Newtonsoft.Json.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A226000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A29A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: Newtonsoft.Json.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl9N4
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlL
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crlrtG
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSI87B1.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr	String found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0F
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/lS
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSI87B1.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A29A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlrlCache
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A29A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com:80/DigiCertTrustedRootG4.crllorer
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A285000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSI87B1.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: AteraAgent.exe, 0000000C.00000002.1806651038.000002B03A5CF000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A29A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A240000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl&
Source: AteraAgent.exe, 0000000C.00000002.1806651038.000002B03A5E3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804345950.000002B021AB9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, ICSharpCode.SharpZipLib.dll.1.dr, AteraAgent.exe.1.dr, Atera.AgentPackage.Common.dll.13.dr, Pubnub.dll.1.dr, BouncyCastle.Crypto.dll.1.dr, System.ValueTuple.dll.1.dr, Newtonsoft.Json.dll.13.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, AgentPackageAgentInformation.exe.13.dr, Newtonsoft.Json.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A29A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl9.
Source: AteraAgent.exe, 0000000C.00000002.1806651038.000002B03A5CF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlR_8
Source: AteraAgent.exe, 0000000C.00000002.1803756057.000002B02006E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlW.
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSI87B1.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr	String found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA2.crl0=
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSI87B1.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A29A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com:80/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crlH$
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp, 57C8EDB95DF3F0AD4EE2DC2B8CFD4157.12.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: AgentPackageAgentInformation.exe, 00000014.00000000.2076737849.00000249FF0A2000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.13.dr	String found in binary or memory: http://dl.google.com/googletalk/googletalk-setup.exe
Source: Newtonsoft.Json.dll.1.dr	String found in binary or memory: http://james.newtonking.com/projects/json
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A285000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/.
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A240000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4119372765.000001635E2E5000.00000004.00000020.00020000.00000000.sdmp, 8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A9440.13.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rh
Source: 698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB0.12.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxL
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A240000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4112182700.00000163451FB000.00000004.00000020.00020000.00000000.sdmp, C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F1410.13.dr	String found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxX
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/l
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com/mY
Source: AteraAgent.exe, 0000000C.00000002.1806651038.000002B03A5E3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804345950.000002B021AB9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4119372765.000001635E2B0000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, ICSharpCode.SharpZipLib.dll.1.dr, AteraAgent.exe.1.dr, Atera.AgentPackage.Common.dll.13.dr, Pubnub.dll.1.dr, BouncyCastle.Crypto.dll.1.dr, System.ValueTuple.dll.1.dr, Newtonsoft.Json.dll.13.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, AgentPackageAgentInformation.exe.13.dr, Newtonsoft.Json.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4120518089.000001635E6AD000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4120518089.000001635E6FF000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2114768410.00000249983EB000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2117522900.0000025EBFD93000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2117782628.0000025EBFE18000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, ICSharpCode.SharpZipLib.dll.1.dr, Newtonsoft.Json.dll.4.dr, AteraAgent.exe.1.dr, Newtonsoft.Json.dll.5.dr, C56C4404C4DEF0DC88E5FCD9F09CB2F1.13.dr, Atera.AgentPackage.Common.dll.13.dr, Pubnub.dll.1.dr, BouncyCastle.Crypto.dll.1.dr, System.ValueTuple.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Newtonsoft.Json.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Newtonsoft.Json.dll.16.dr, ICSharpCode.SharpZipLib.dll.1.dr, MSI87B1.tmp.1.dr, Newtonsoft.Json.dll.4.dr, AteraAgent.exe.1.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.13.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, Pubnub.dll.1.dr, BouncyCastle.Crypto.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSI87B1.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://ocsp.digicert.com0K
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSI87B1.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Newtonsoft.Json.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Newtonsoft.Json.dll.16.dr, MSI87B1.tmp.1.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, ICSharpCode.SharpZipLib.dll.1.dr, Newtonsoft.Json.dll.4.dr, AteraAgent.exe.1.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.13.dr, Pubnub.dll.1.dr, BouncyCastle.Crypto.dll.1.dr, System.ValueTuple.dll.1.dr, Newtonsoft.Json.dll.13.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, AgentPackageAgentInformation.exe.13.dr, Newtonsoft.Json.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com:80/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7Nfjgt
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A226000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertAssuredIDRootCA.crlO
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345E65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ps.pndsn.com
Source: AteraAgent.exe, 0000000C.00000002.1804345950.000002B021AB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org
Source: AteraAgent.exe, 0000000C.00000002.1804345950.000002B021AB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: AteraAgent.exe, 0000000C.00000002.1804345950.000002B021AB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.datacontract.org/2004/07/System.ServiceProcess
Source: rundll32.exe, 00000004.00000002.1728881275.0000000005071000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1728881275.0000000005114000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163458F1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1869070441.00000000050E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1869070441.0000000005187000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2114097425.0000024980083000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2115443883.0000025EA76BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSI87B1.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://wixtoolset.org
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000490A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://wixtoolset.org/Whttp://wixtoolset.org/telemetry/v
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000490A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://wixtoolset.org/news/
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000490A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: http://wixtoolset.org/releases/
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1806651038.000002B03A5E3000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804345950.000002B021AB9000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A1C0000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, ICSharpCode.SharpZipLib.dll.1.dr, Newtonsoft.Json.dll.4.dr, AteraAgent.exe.1.dr, Newtonsoft.Json.dll.5.dr, Atera.AgentPackage.Common.dll.13.dr, Pubnub.dll.1.dr, BouncyCastle.Crypto.dll.1.dr, System.ValueTuple.dll.1.dr, Newtonsoft.Json.dll.13.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: AteraAgent.exe, 0000000C.00000002.1804345950.000002B021AB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.o
Source: AteraAgent.exe, 0000000C.00000002.1804345950.000002B021AB9000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.w3.oh
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345EF7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345EE1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.000001634629E000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345EF3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345E55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.P
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345EF3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.P(
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345EDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.PR
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345EDD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.Pj
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345EE3000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.Pjv
Source: rundll32.exe, 00000004.00000002.1728881275.0000000005114000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1869070441.0000000005187000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.aterD
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1728881275.0000000005071000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1728881275.0000000005114000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000490A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345D93000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345CDD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345E55000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AB1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1869070441.00000000050E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1869070441.0000000005187000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2114097425.0000024980083000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2115443883.0000025EA76BF000.00000004.00000800.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.16.dr, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.3.dr, AlphaControlAgentInstallation.dll.4.dr	String found in binary or memory: https://agent-api.atera.com
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1728881275.0000000005071000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1728881275.0000000005114000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000490A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1869070441.00000000050E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1869070441.0000000005187000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.16.dr, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.3.dr, AlphaControlAgentInstallation.dll.4.dr	String found in binary or memory: https://agent-api.atera.com/
Source: AgentPackageAgentInformation.exe, 00000014.00000002.2114097425.0000024980083000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2115443883.0000025EA76BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1728881275.0000000005071000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1728881275.0000000005114000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000490A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1869070441.00000000050E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1869070441.0000000005187000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.16.dr, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.3.dr, AlphaControlAgentInstallation.dll.4.dr	String found in binary or memory: https://agent-api.atera.com/Production/Agent/
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345D93000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.000001634629E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/Age
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345C5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345EBF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStarting)
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStartingB
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStartingX7.
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/AgentStartingp
Source: AgentPackageAgentInformation.exe, 00000014.00000002.2114097425.0000024980083000.00000004.00000800.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2115443883.0000025EA76BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/CommandResult
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345CD3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345E51000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345C5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345ADB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommands
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback0
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsFallback2/
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetCommandsp
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345E55000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurrin
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345C5A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackages
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesibe
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesnection
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/GetRecurringPackagesnterval
Source: rundll32.exe, 00000004.00000002.1728881275.0000000005071000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000004.00000002.1728881275.0000000005114000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1869070441.00000000050E1000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1869070441.0000000005187000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event
Source: rundll32.exe, 00000004.00000002.1728881275.0000000005156000.00000004.00000800.00020000.00000000.sdmp, rundll32.exe, 00000010.00000002.1869070441.00000000051C6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://agent-api.atera.com/Production/Agent/track-event;
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4120053577.000001635E472000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2116400747.00000249FFB48000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.13.dr, Newtonsoft.Json.dll.1.dr	String found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: System.ValueTuple.dll.1.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf
Source: System.ValueTuple.dll.1.dr	String found in binary or memory: https://github.com/dotnet/corefx/tree/30ab651fcb4354552bd4891619a0bdd81e0ebdbf8
Source: AteraAgent.exe, 0000000D.00000002.4122014011.000001635E9B2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.1.dr	String found in binary or memory: https://github.com/icsharpcode/SharpZipLib
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345A30000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com
Source: AteraAgent.exe, 0000000D.00000002.4114698045.00000163459BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagescrossplatform/AgentPackageAgentInformation/1.13/AgentPackageAgentI
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345952000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B0A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AAD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Availability/0.16/Agent.Package.Availability.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B0A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.7/A
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AAD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.7/Agent.Pac
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345952000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459BB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.00000163459BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageAgentInformation/38.0/AgentPackageAgentInformation
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageNetworkDiscovery/13.0/AgentPackageNetworkDiscovery
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageRuntimeInstaller/1.5/AgentPackageRuntimeInstaller.
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345952000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459B7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345A90000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345A74000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459BB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AAD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345A7C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageTaskScheduler/13.0/AgentPackageTaskScheduler.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageWindowsUpdate/24.6/A
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesmac/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345952000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B0A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459BB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AAD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Availability/0.16/Agent.Package.Availability.z
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.IotPoc/0.2/Agent.Package.IotPoc.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345952000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B0A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459BB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AAD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/Agent.Package.Watchdog/1.7/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageADRemote/6.0/AgentPackageADRemote.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.00000163459BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageAgentInformation/38.0/AgentPackageAgentInformati
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageNetworkDiscovery/23.9/AgentPackageNetworkDiscove
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageRuntimeInstaller/1.6/AgentPackageRuntimeInstalle
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345952000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459B7000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345A90000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345A74000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459BB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AAD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345A7C000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageTaskScheduler/17.2/AgentPackageTaskScheduler.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPa
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackagesnet45/AgentPackageWindowsUpdate/24.6/AgentPackageWindowsUpdate.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345952000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B0A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459BB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AAD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Availability/13.0/Agent.Package.Availability.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.IotPoc/13.0/Agent.Package.IotPoc.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345952000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B0A000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459C3000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.00000163459BB000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AAD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/Agent.Package.Watchdog/13.0/Agent.Package.Watchdog.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.00000163459BF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageAgentInformation/22.7/AgentPackageAgentInformation
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageNetworkDiscovery/15.0/AgentPackageNetworkDiscovery
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageRuntimeInstaller/13.0/AgentPackageRuntimeInstaller
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTaskSchedul
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AA5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageTaskScheduler/13.1/AgentPackageTaskScheduler.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AFD000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.atera.com/agentpackageswin/AgentPackageWindowsUpdate/18.3/AgentPackageWindowsUpdate.zip
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345E65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345976000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345E65000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345976000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=0180680e-e6cb-400e-83d6-3808eb668088
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=377417ee-b208-4922-a278-778329313858
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=811d9700-d678-4b14-9442-20877f787d98
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ba6a13f1-ebc9-4a1b-b6ac-2f0177a0d113
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=bc48e4ab-59d5-4385-9ebb-6bdf934e8e43
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345E65000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=cf670f90-2c48-42f2-8c3d-1518a12474cf
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=d1a4fa35-d7fa-4da0-99b6-08c62f57c171
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=e1b9fd91-c306-4290-9b3f-369d7c5c009e
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=f452f05c-24ab-44c2-90a0-e6c8fdaa9194
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=f8b53c58-e2e7-4a77-a6fb-ccd81bb3df54
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345C5A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/time/0?pnsdk=NET45CSharp6.13.0.0&requestid=ffe6d5cf-fafd-40b4-8a1e-0da4f848d80d
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B43000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AB1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/presence/sub_key/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/channel/ff94aff6
Source: AteraAgent.exe, 0000000D.00000002.4114698045.0000016345AB1000.00000004.00000800.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4114698045.0000016345B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ps.pndsn.com/v2/subscribe/sub-c-a02ceca8-a958-11e5-bd8c-0619f8945a4f/ff94aff6-2883-4c67-9794
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, 5c13e6.msi, Microsoft.Deployment.WindowsInstaller.dll.4.dr, MSI8753.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, MSI87B1.tmp.1.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr	String found in binary or memory: https://www.newtonsoft.com/json
Source: Newtonsoft.Json.dll.1.dr	String found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4120053577.000001635E472000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2116400747.00000249FFB4A000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.13.dr, Newtonsoft.Json.dll.1.dr	String found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson

Source: unknown	Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50219
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50175
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50210
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50176
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50179
Source: unknown	Network traffic detected: HTTP traffic on port 50202 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49878 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50182
Source: unknown	Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49858
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown	Network traffic detected: HTTP traffic on port 50219 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown	Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50227
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50228
Source: unknown	Network traffic detected: HTTP traffic on port 49837 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50010 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50186
Source: unknown	Network traffic detected: HTTP traffic on port 49858 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50185
Source: unknown	Network traffic detected: HTTP traffic on port 50186 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50222
Source: unknown	Network traffic detected: HTTP traffic on port 50222 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50134 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49847
Source: unknown	Network traffic detected: HTTP traffic on port 50197 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown	Network traffic detected: HTTP traffic on port 49901 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49869 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50227 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown	Network traffic detected: HTTP traffic on port 50172 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50197
Source: unknown	Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown	Network traffic detected: HTTP traffic on port 49828 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50175 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49837
Source: unknown	Network traffic detected: HTTP traffic on port 49847 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown	Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49952
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50129
Source: unknown	Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49952 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50142 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50089
Source: unknown	Network traffic detected: HTTP traffic on port 50150 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50207 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50002
Source: unknown	Network traffic detected: HTTP traffic on port 50153 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49828
Source: unknown	Network traffic detected: HTTP traffic on port 50210 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49942
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown	Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50010
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50098
Source: unknown	Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50134
Source: unknown	Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50137
Source: unknown	Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50158 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50129 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50161 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown	Network traffic detected: HTTP traffic on port 49942 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49759 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49931
Source: unknown	Network traffic detected: HTTP traffic on port 50169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50142
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50146
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown	Network traffic detected: HTTP traffic on port 50098 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50150
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown	Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50176 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown	Network traffic detected: HTTP traffic on port 49756 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown	Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50166 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50153
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50158
Source: unknown	Network traffic detected: HTTP traffic on port 49877 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50182 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50179 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50137 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50161
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown	Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49759
Source: unknown	Network traffic detected: HTTP traffic on port 50089 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49878
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49877
Source: unknown	Network traffic detected: HTTP traffic on port 49755 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49756
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49755
Source: unknown	Network traffic detected: HTTP traffic on port 50228 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50207
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49751
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown	Network traffic detected: HTTP traffic on port 50146 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50166
Source: unknown	Network traffic detected: HTTP traffic on port 49931 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50044
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50202
Source: unknown	Network traffic detected: HTTP traffic on port 50002 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 50185 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 50172
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown	Network traffic detected: HTTP traffic on port 50044 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49869
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49901
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49745

Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49745 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49746 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 108.158.75.4:443 -> 192.168.2.4:49759 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49821 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49828 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49840 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49834 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49869 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49887 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49889 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49894 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49915 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49922 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49931 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49946 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49952 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49979 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49976 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49977 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:49978 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50010 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50017 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50026 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50036 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50044 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50060 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50089 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50098 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50114 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.198:443 -> 192.168.2.4:50129 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50134 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50137 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50142 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50146 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50150 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50153 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50158 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50161 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50166 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50169 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50172 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50175 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50176 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50179 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50182 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50185 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50186 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50197 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50202 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50207 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50210 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50219 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 13.232.67.199:443 -> 192.168.2.4:50222 version: TLS 1.2

Drops certificate files (DER)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to dropped file

Spam, unwanted Advertisements and Ransom Demands

Reads the Security eventlog

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Security

Reads the System eventlog

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Key opened: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\System

Abnormal high CPU Usage

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Process Stats: CPU usage > 49%

Creates files inside the system directory

Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4c685d.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6995.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6BB9.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI82CC.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\inprogressinstallinfo.ipi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8742.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8753.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI87B1.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI88BC.tmp	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4c685f.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\4c685f.msi	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA1A4.tmp	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6995.tmp-	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6995.tmp-\AlphaControlAgentInstallation.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6995.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6995.tmp-\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6995.tmp-\System.Management.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6995.tmp-\CustomAction.config	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6BB9.tmp-	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6BB9.tmp-\AlphaControlAgentInstallation.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6BB9.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6BB9.tmp-\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6BB9.tmp-\System.Management.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6BB9.tmp-\CustomAction.config	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI82CC.tmp-	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI82CC.tmp-\AlphaControlAgentInstallation.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI82CC.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI82CC.tmp-\Newtonsoft.Json.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI82CC.tmp-\System.Management.dll	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI82CC.tmp-\CustomAction.config	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\InstallUtil.InstallLog	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIA1A4.tmp-
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIA1A4.tmp-\AlphaControlAgentInstallation.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIA1A4.tmp-\Microsoft.Deployment.WindowsInstaller.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIA1A4.tmp-\Newtonsoft.Json.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIA1A4.tmp-\System.Management.dll
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIA1A4.tmp-\CustomAction.config
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

Deletes files inside the Windows folder

Source: C:\Windows\System32\msiexec.exe

File deleted: C:\Windows\Installer\MSI6995.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_3_075175C8	4_3_075175C8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_3_07510040	4_3_07510040
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_04BD50B8	5_3_04BD50B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_04BD59A8	5_3_04BD59A8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 5_3_04BD4D68	5_3_04BD4D68
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 12_2_00007FFD9B400C54	12_2_00007FFD9B400C54
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 12_2_00007FFD9B40C9A1	12_2_00007FFD9B40C9A1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 12_2_00007FFD9B40BBF1	12_2_00007FFD9B40BBF1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 12_2_00007FFD9B400C84	12_2_00007FFD9B400C84
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B411BEE	13_2_00007FFD9B411BEE
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B413870	13_2_00007FFD9B413870
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B40C910	13_2_00007FFD9B40C910
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B401CE0	13_2_00007FFD9B401CE0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B3F9AF2	13_2_00007FFD9B3F9AF2
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B40900E	13_2_00007FFD9B40900E
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B40CF58	13_2_00007FFD9B40CF58
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B60FC31	13_2_00007FFD9B60FC31
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B3F0C7D	13_2_00007FFD9B3F0C7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_3_07570040	16_3_07570040
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 20_2_00007FFD9B3FFA94	20_2_00007FFD9B3FFA94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 20_2_00007FFD9B3F78D6	20_2_00007FFD9B3F78D6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 20_2_00007FFD9B40100A	20_2_00007FFD9B40100A
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 20_2_00007FFD9B3F8682	20_2_00007FFD9B3F8682
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 20_2_00007FFD9B41047D	20_2_00007FFD9B41047D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 20_2_00007FFD9B3F73D9	20_2_00007FFD9B3F73D9
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 20_2_00007FFD9B3F12FB	20_2_00007FFD9B3F12FB
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 20_2_00007FFD9B4010C0	20_2_00007FFD9B4010C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 20_2_00007FFD9B3FBDB0	20_2_00007FFD9B3FBDB0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 21_2_00007FFD9B40FA94	21_2_00007FFD9B40FA94
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 21_2_00007FFD9B4078D6	21_2_00007FFD9B4078D6
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 21_2_00007FFD9B41100A	21_2_00007FFD9B41100A
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 21_2_00007FFD9B408682	21_2_00007FFD9B408682
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 21_2_00007FFD9B42047D	21_2_00007FFD9B42047D
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 21_2_00007FFD9B4012FA	21_2_00007FFD9B4012FA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 21_2_00007FFD9B4110C0	21_2_00007FFD9B4110C0
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 21_2_00007FFD9B40BD10	21_2_00007FFD9B40BD10

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe A96A0BA7998A6956C8073B6EFF9306398CC03FB9866E4CABF0810A69BB2A43B2

Sample file is different than original file name gathered from version info

Source: 5c13e6.msi	Binary or memory string: OriginalFilenameAlphaControlAgentInstallation.dll\ vs 5c13e6.msi
Source: 5c13e6.msi	Binary or memory string: OriginalFilenameSfxCA.dll\ vs 5c13e6.msi
Source: 5c13e6.msi	Binary or memory string: OriginalFilenamewixca.dll\ vs 5c13e6.msi

Source: ICSharpCode.SharpZipLib.dll.1.dr, InflaterInputBuffer.cs	Cryptographic APIs: 'TransformBlock'
Source: ICSharpCode.SharpZipLib.dll.1.dr, DeflaterOutputStream.cs	Cryptographic APIs: 'TransformBlock'
Source: ICSharpCode.SharpZipLib.dll.1.dr, ZipAESTransform.cs	Cryptographic APIs: 'TransformBlock'

Source: AteraAgent.exe.1.dr, SignatureValidator.cs

Source: classification engine

Classification label: mal88.troj.spyw.evad.winMSI@34/79@34/3

Source: C:\Windows\System32\msiexec.exe

File created: C:\Program Files (x86)\ATERA Networks

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Mutant created: NULL
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7936:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:7888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7864:120:WilError_03
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Mutant created: \BaseNamedObjects\Global\netfxeventlog.1.0
Source: C:\Windows\System32\conhost.exe	Mutant created: \BaseNamedObjects\Local\SM0:1308:120:WilError_03

Source: C:\Windows\System32\msiexec.exe

File created: C:\Windows\TEMP\~DF6D201690A06C6388.TMP

Jump to behavior

Source: C:\Windows\SysWOW64\net1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "AteraAgent.exe")
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

File read: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

Source: C:\Windows\System32\msiexec.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Source: 5c13e6.msi

Static file information: TRID: Microsoft Windows Installer (60509/1) 57.88%

Source: 5c13e6.msi

ReversingLabs: Detection: 26%

Source: unknown	Process created: C:\Windows\System32\msiexec.exe "C:\Windows\System32\msiexec.exe" /i "C:\Users\user\Desktop\5c13e6.msi"
Source: unknown	Process created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6035F6485629B3656802BDCB68379B97
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI6995.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5007890 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI6BB9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5008359 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI82CC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5014250 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8C2A075FB1C9BFF9A65B59CB5274A31B E Global\MSI0000
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="matteobianchini1965@autograf.pl" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000NxmUvIAJ" /AgentId="ff94aff6-2883-4c67-9794-e0ddc81d610f"
Source: unknown	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Windows\System32\sc.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIA1A4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5022156 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ff94aff6-2883-4c67-9794-e0ddc81d610f "87885c4b-c98b-4114-8df6-f508dfdcbf5a" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000NxmUvIAJ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ff94aff6-2883-4c67-9794-e0ddc81d610f "81e73b14-e55c-40af-aa45-a29326f84cb3" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000NxmUvIAJ
Source: C:\Windows\SysWOW64\net1.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 6035F6485629B3656802BDCB68379B97	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Windows\SysWOW64\msiexec.exe C:\Windows\syswow64\MsiExec.exe -Embedding 8C2A075FB1C9BFF9A65B59CB5274A31B E Global\MSI0000	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="matteobianchini1965@autograf.pl" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000NxmUvIAJ" /AgentId="ff94aff6-2883-4c67-9794-e0ddc81d610f"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI6995.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5007890 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI6BB9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5008359 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSI82CC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5014250 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Windows\Installer\MSIA1A4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_5022156 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ff94aff6-2883-4c67-9794-e0ddc81d610f "87885c4b-c98b-4114-8df6-f508dfdcbf5a" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000NxmUvIAJ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ff94aff6-2883-4c67-9794-e0ddc81d610f "81e73b14-e55c-40af-aa45-a29326f84cb3" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000NxmUvIAJ

Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msihnd.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: tsappcmp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: srclient.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: spp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vssapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vsstrace.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: pcacli.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: msi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\net1.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptnet.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: propsys.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: edputil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: urlmon.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iertutil.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: srvcli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: netutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wintypes.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: appresolver.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: bcp47langs.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: slc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: sppc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: cryptnet.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: webio.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: apphelp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: gpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mscoree.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptsp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rsaenh.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: cryptbase.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: wbemcomn.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: amsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: userenv.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasapi32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasman.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rtutils.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winhttp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ondemandconnroutehelper.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: winnsi.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: rasadhlp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: fwpuclnt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: secur32.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: sspicli.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: schannel.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: mskeyprotect.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ntasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncrypt.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: ncryptsslp.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: msasn1.dll
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Section loaded: gpapi.dll

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

File written: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll

Source: 5c13e6.msi

Static file information: File size 2994176 > 1048576

Source:	Binary string: D:\a\1\s\AgentPackageAgentInformation\AgentPackageAgentInformation\obj\Release\AgentPackageAgentInformation.pdb source: AgentPackageAgentInformation.exe, 00000014.00000000.2076737849.00000249FF0A2000.00000002.00000001.01000000.00000016.sdmp, AgentPackageAgentInformation.exe.13.dr
Source:	Binary string: D:\a\1\s\AlphaControlAgentInstallation\obj\Release\AlphaControlAgentInstallation.pdb source: rundll32.exe, 00000003.00000003.1668037110.00000000047B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000490A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, AlphaControlAgentInstallation.dll.16.dr, AlphaControlAgentInstallation.dll.5.dr, AlphaControlAgentInstallation.dll.3.dr, AlphaControlAgentInstallation.dll.4.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: AgentPackageAgentInformation.exe, 00000014.00000002.2116400747.00000249FFB4A000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.13.dr
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb<$ source: AteraAgent.exe, 0000000C.00000000.1750493961.000002B01FEA2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.1.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4120053577.000001635E472000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000014.00000002.2116400747.00000249FFB4A000.00000002.00000001.01000000.00000019.sdmp, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.13.dr, Newtonsoft.Json.dll.1.dr
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdb source: AgentPackageAgentInformation.exe, 00000015.00000002.2115276194.0000025EA7532000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.13.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdb source: System.ValueTuple.dll.1.dr
Source:	Binary string: t.pdb source: AteraAgent.exe, 0000000D.00000002.4119372765.000001635E33B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\wixca.pdb source: 5c13e6.msi, MSI8753.tmp.1.dr, MSI87B1.tmp.1.dr, MSI8742.tmp.1.dr, MSI88BC.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdbP source: rundll32.exe, 00000003.00000003.1668037110.00000000047B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000490A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr
Source:	Binary string: D:\a\1\s\Atera.AgentPackage.Common\obj\Release\Atera.AgentPackage.Common.pdbPf source: AgentPackageAgentInformation.exe, 00000015.00000002.2115276194.0000025EA7532000.00000002.00000001.01000000.00000018.sdmp, Atera.AgentPackage.Common.dll.13.dr
Source:	Binary string: BouncyCastle.Crypto.pdbSHA256 source: BouncyCastle.Crypto.dll.1.dr
Source:	Binary string: C:\agent\_work\66\s\build\obj\ship\x86\WindowsInstaller\Microsoft.Deployment.WindowsInstaller.pdb source: rundll32.exe, 00000003.00000003.1668037110.00000000047B6000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E59000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000490A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, Microsoft.Deployment.WindowsInstaller.dll.4.dr, Microsoft.Deployment.WindowsInstaller.dll.3.dr, Microsoft.Deployment.WindowsInstaller.dll.16.dr, Microsoft.Deployment.WindowsInstaller.dll.5.dr
Source:	Binary string: mscorlib.pdb source: AteraAgent.exe, 0000000D.00000002.4120518089.000001635E6FF000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: D:\a\1\s\AlphaControlAgent\obj\Release\AteraAgent.pdb source: AteraAgent.exe, 0000000C.00000000.1750493961.000002B01FEA2000.00000002.00000001.01000000.0000000F.sdmp, AteraAgent.exe.1.dr
Source:	Binary string: E:\A\_work\39\s\corefx\bin\obj\AnyOS.AnyCPU.Release\System.ValueTuple\netstandard1.0\System.ValueTuple.pdbSHA256 source: System.ValueTuple.dll.1.dr
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdbSHA256 source: AteraAgent.exe, 0000000C.00000002.1805925767.000002B03A3F2000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.1.dr
Source:	Binary string: D:\a\c-sharp\c-sharp\src\Api\PubnubApi\obj\Release\net45\Pubnub.pdb source: AteraAgent.exe, 0000000C.00000002.1805925767.000002B03A3F2000.00000002.00000001.01000000.00000011.sdmp, Pubnub.dll.1.dr
Source:	Binary string: C:\agent\_work\66\s\build\ship\x86\SfxCA.pdb source: 5c13e6.msi, MSI6BB9.tmp.1.dr, MSI82CC.tmp.1.dr, MSI6995.tmp.1.dr, 4c685d.msi.1.dr, 4c685f.msi.1.dr, MSIA1A4.tmp.1.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdbSHA256mW source: AteraAgent.exe, 0000000D.00000002.4122014011.000001635E9B2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.1.dr
Source:	Binary string: /_/src/ICSharpCode.SharpZipLib/obj/Release/net45/ICSharpCode.SharpZipLib.pdb source: AteraAgent.exe, 0000000D.00000002.4122014011.000001635E9B2000.00000002.00000001.01000000.0000001B.sdmp, ICSharpCode.SharpZipLib.dll.1.dr
Source:	Binary string: BouncyCastle.Crypto.pdb source: BouncyCastle.Crypto.dll.1.dr
Source:	Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA2567 source: rundll32.exe, 00000003.00000003.1668037110.00000000047E7000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000004.00000003.1674855379.0000000004E8A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000005.00000003.1731830189.000000000493B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4120053577.000001635E472000.00000002.00000001.01000000.0000001A.sdmp, rundll32.exe, 00000010.00000003.1810478471.0000000004F76000.00000004.00000020.00020000.00000000.sdmp, Newtonsoft.Json.dll.3.dr, Newtonsoft.Json.dll.16.dr, Newtonsoft.Json.dll.4.dr, Newtonsoft.Json.dll.5.dr, Newtonsoft.Json.dll.1.dr
Source:	Binary string: m.pdb source: AteraAgent.exe, 0000000D.00000002.4119372765.000001635E33B000.00000004.00000020.00020000.00000000.sdmp

Binary contains a suspicious time stamp

Source: BouncyCastle.Crypto.dll.1.dr

Static PE information: 0xE49A52B3 [Sun Jul 15 06:22:43 2091 UTC]

PE file contains an invalid checksum

Source: MSI6995.tmp.1.dr	Static PE information: real checksum: 0x32353 should be: 0x88610
Source: AlphaControlAgentInstallation.dll.3.dr	Static PE information: real checksum: 0x0 should be: 0xe266
Source: MSI6BB9.tmp.1.dr	Static PE information: real checksum: 0x32353 should be: 0x88610
Source: MSIA1A4.tmp.1.dr	Static PE information: real checksum: 0x32353 should be: 0x88610
Source: MSI82CC.tmp.1.dr	Static PE information: real checksum: 0x32353 should be: 0x88610

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_3_0742B235 push ds; ret	4_3_0742B243
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 4_3_07514ECF push dword ptr [esp+ecx*2-75h]; ret	4_3_07514ED3
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B410AD8 pushad ; ret	13_2_00007FFD9B410AE1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B40CE75 push ebx; retf 0003h	13_2_00007FFD9B40CE8A
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B605930 push esp; retn 5F2Ch	13_2_00007FFD9B6062D9
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B606414 push eax; ret	13_2_00007FFD9B606444
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B601EFC push eax; ret	13_2_00007FFD9B601F14
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B6009B1 push eax; ret	13_2_00007FFD9B6009D4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Code function: 13_2_00007FFD9B6011E1 push eax; ret	13_2_00007FFD9B601204
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_3_0748B235 push ds; ret	16_3_0748B243
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 16_3_07574ECF push dword ptr [esp+ecx*2-75h]; ret	16_3_07574ED3
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 20_2_00007FFD9B3F00BD pushad ; iretd	20_2_00007FFD9B3F00C1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Code function: 21_2_00007FFD9B4000BD pushad ; iretd	21_2_00007FFD9B4000C1

Persistence and Installation Behavior

Creates files in the system32 config directory

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

Drops PE files

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIA1A4.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6995.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI82CC.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6BB9.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI82CC.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA1A4.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI82CC.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIA1A4.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI82CC.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6BB9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6995.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6995.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIA1A4.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI82CC.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6995.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8753.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6BB9.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6BB9.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6BB9.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIA1A4.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6995.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI87B1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI88BC.tmp	Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIA1A4.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6995.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI82CC.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6BB9.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI82CC.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSIA1A4.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI82CC.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIA1A4.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI82CC.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6BB9.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6BB9.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6BB9.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6BB9.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIA1A4.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6995.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6995.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI87B1.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI6995.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSIA1A4.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI88BC.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	File created: C:\Windows\Installer\MSI82CC.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI6995.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	File created: C:\Windows\Installer\MSI8753.tmp	Jump to dropped file

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Windows\system32\InstallUtil.InstallLog			Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	File created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog			Jump to behavior

Creates or modifies windows services

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Registry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\EventLog\Application

Jump to behavior

Uses net.exe to stop services

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Classes
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Stores large binary data to the registry

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Key value created or modified: HKEY_USERS.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C Blob

Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\net1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select * from Win32_NetworkAdapter

Allocates memory with a write watch (potentially for evading sandboxes)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 2B0219C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 2B0399F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 16345420000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Memory allocated: 1635D8F0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 249FF400000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 249FFBF0000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 25EA6F40000 memory reserve \| memory write watch
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Memory allocated: 25EBF600000 memory reserve \| memory write watch

Contains long sleeps (>= 3 min)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Window / User API: threadDelayed 5488
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Window / User API: threadDelayed 4169

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA1A4.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6995.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6BB9.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI82CC.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI82CC.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA1A4.tmp	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI82CC.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA1A4.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI82CC.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6BB9.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6995.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6995.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA1A4.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI82CC.tmp-\System.Management.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI8753.tmp	Jump to dropped file
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6995.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6BB9.tmp-\Microsoft.Deployment.WindowsInstaller.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6BB9.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6BB9.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSIA1A4.tmp-\AlphaControlAgentInstallation.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI6995.tmp-\Newtonsoft.Json.dll	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI87B1.tmp	Jump to dropped file
Source: C:\Windows\System32\msiexec.exe	Dropped PE file which has not been started: C:\Windows\Installer\MSI88BC.tmp	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\rundll32.exe TID: 7692	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8068	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 8024	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7208	Thread sleep count: 5488 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7208	Thread sleep count: 4169 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7184	Thread sleep count: 33 > 30
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7184	Thread sleep time: -30437127721620741s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7184	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7484	Thread sleep time: -120000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 2504	Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe TID: 7400	Thread sleep time: -180000s >= -30000s
Source: C:\Windows\SysWOW64\rundll32.exe TID: 1104	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 8064	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7952	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 8012	Thread sleep time: -30000s >= -30000s
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe TID: 7944	Thread sleep time: -922337203685477s >= -30000s

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\net1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : select Manufacturer,Model,Product from Win32_BaseBoard

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Windows\SysWOW64\net1.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select Name from Win32_Processor

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 30000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Thread delayed: delay time: 90000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Thread delayed: delay time: 922337203685477

Source: AgentPackageAgentInformation.exe.13.dr	Binary or memory string: VIRUSfighterAVMware Carbon Black Cloud Sensor7VMware Carbon Black Defense/VMware Carbon Black EDR9VMware Carbon Black Response
Source: AteraAgent.exe, 0000000D.00000002.4120518089.000001635E6AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWts.digicert.comDigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crtB\
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A29A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A29A000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000C.00000002.1804899663.000002B03A240000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4119372765.000001635E33B000.00000004.00000020.00020000.00000000.sdmp, AteraAgent.exe, 0000000D.00000002.4120518089.000001635E670000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: rundll32.exe, 00000010.00000002.1867907620.000000000355A000.00000004.00000020.00020000.00000000.sdmp, rundll32.exe, 00000010.00000003.1866461004.0000000003558000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllg
Source: rundll32.exe, 00000004.00000002.1728174926.00000000032F2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllh
Source: AgentPackageAgentInformation.exe, 00000014.00000002.2114768410.0000024998365000.00000004.00000020.00020000.00000000.sdmp, AgentPackageAgentInformation.exe, 00000015.00000002.2117522900.0000025EBFDC1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\System32\msiexec.exe

Process information queried: ProcessInformation

Jump to behavior

Enables debug privileges

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Process token adjusted: Debug

Source: C:\Windows\SysWOW64\rundll32.exe

Memory allocated: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="matteobianchini1965@autograf.pl" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000NxmUvIAJ" /AgentId="ff94aff6-2883-4c67-9794-e0ddc81d610f"	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\net.exe "NET" STOP AteraAgent	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe	Jump to behavior
Source: C:\Windows\SysWOW64\net.exe	Process created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 STOP AteraAgent	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Windows\System32\sc.exe "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ff94aff6-2883-4c67-9794-e0ddc81d610f "87885c4b-c98b-4114-8df6-f508dfdcbf5a" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000NxmUvIAJ
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" ff94aff6-2883-4c67-9794-e0ddc81d610f "81e73b14-e55c-40af-aa45-a29326f84cb3" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000NxmUvIAJ

Uses taskkill to terminate processes

Source: C:\Windows\SysWOW64\msiexec.exe

Process created: C:\Windows\SysWOW64\taskkill.exe "TaskKill.exe" /f /im AteraAgent.exe

Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="matteobianchini1965@autograf.pl" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000nxmuviaj" /agentid="ff94aff6-2883-4c67-9794-e0ddc81d610f"
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ff94aff6-2883-4c67-9794-e0ddc81d610f "87885c4b-c98b-4114-8df6-f508dfdcbf5a" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000nxmuviaj
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ff94aff6-2883-4c67-9794-e0ddc81d610f "81e73b14-e55c-40af-aa45-a29326f84cb3" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000nxmuviaj
Source: C:\Windows\System32\msiexec.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe "c:\program files (x86)\atera networks\ateraagent\ateraagent.exe" /i /integratorlogin="matteobianchini1965@autograf.pl" /companyid="1" /integratorloginui="" /companyidui="" /folderid="" /accountid="001q300000nxmuviaj" /agentid="ff94aff6-2883-4c67-9794-e0ddc81d610f"	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ff94aff6-2883-4c67-9794-e0ddc81d610f "87885c4b-c98b-4114-8df6-f508dfdcbf5a" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000nxmuviaj
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Process created: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe "c:\program files (x86)\atera networks\ateraagent\packages\agentpackageagentinformation\agentpackageagentinformation.exe" ff94aff6-2883-4c67-9794-e0ddc81d610f "81e73b14-e55c-40af-aa45-a29326f84cb3" agent-api.atera.com/production 443 or8ixli90mf "minimalidentification" 001q300000nxmuviaj

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\msiexec.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI6995.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI6995.tmp-\AlphaControlAgentInstallation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI6BB9.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI6BB9.tmp-\AlphaControlAgentInstallation.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI6BB9.tmp-\Newtonsoft.Json.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI82CC.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSI82CC.tmp-\AlphaControlAgentInstallation.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIA1A4.tmp-\Microsoft.Deployment.WindowsInstaller.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIA1A4.tmp-\AlphaControlAgentInstallation.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Installer\MSIA1A4.tmp-\Newtonsoft.Json.dll VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll VolumeInformation
Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Adds / modifies Windows certificates

Source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 Blob

Remote Access Functionality

Yara detected AteraAgent

Source: Yara match	File source: 21.2.AgentPackageAgentInformation.exe.25ea7530000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.0.AteraAgent.exe.2b01fea0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.0.AgentPackageAgentInformation.exe.249ff0a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000D.00000002.4112182700.00000163451AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2114097425.0000024980073000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1804345950.000002B021AA2000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000003.1668037110.00000000047B6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1804345950.000002B021B22000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2114464678.0000025EA6E78000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2114464678.0000025EA6E35000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4114698045.000001634595D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4111980310.00000163450A0000.00000004.00000020.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1803530463.000002B01FF70000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000000.1750493961.000002B01FEA2000.00000002.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4120518089.000001635E6AD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2115566795.00000249FF2CC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4112182700.00000163451FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000000.2076737849.00000249FF0A2000.00000002.00000001.01000000.00000016.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1804345950.000002B021A79000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1806480577.000002B03A590000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2114464678.0000025EA6E0B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1803756057.000002B020020000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1803756057.000002B020040000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1803756057.000002B020026000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1804345950.000002B021B56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1804345950.000002B021B6C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000003.1674855379.0000000004E59000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1728881275.0000000005114000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2115443883.0000025EA7673000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2114464678.0000025EA6E2D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2114402419.0000025EA6DF8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2115038756.0000025EA6F90000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2115522472.00000249FF2A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1807832870.00007FFD9B494000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4120518089.000001635E68B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1869070441.00000000050E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4108029659.0000005DF3B15000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.1869070441.0000000005187000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1806651038.000002B03A5B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1803756057.000002B02006E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2115566795.00000249FF300000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.1728881275.0000000005071000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2115566795.00000249FF2C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1806651038.000002B03A5E3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2115443883.0000025EA7647000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2114402419.0000025EA6DF0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4114554008.00000163454B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2115443883.0000025EA7601000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1804345950.000002B021A7C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1803756057.000002B01FFE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4112182700.00000163451CD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2115276194.0000025EA7532000.00000002.00000001.01000000.00000018.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1804345950.000002B021AA4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1731830189.000000000490A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2117484023.0000025EBFD89000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1804345950.000002B021AB9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4120518089.000001635E670000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2115443883.0000025EA7683000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2115566795.00000249FF34C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.1810478471.0000000004F45000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2115566795.00000249FF307000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1804345950.000002B021AAA000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4114698045.0000016345EBF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1803756057.000002B01FFE6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4112182700.0000016345170000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2115443883.0000025EA76BF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2114097425.0000024980083000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2114097425.0000024980001000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.1804345950.000002B0219F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.4114698045.00000163458F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7584, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7640, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 7736, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AteraAgent.exe PID: 7992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AteraAgent.exe PID: 8176, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: rundll32.exe PID: 3152, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7904, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: AgentPackageAgentInformation.exe PID: 7880, type: MEMORYSTR
Source: Yara match	File source: C:\Windows\Temp\~DF1C46BEF5561279DD.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFCC791DA1EF222C85.TMP, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog, type: DROPPED
Source: Yara match	File source: C:\Config.Msi\4c685e.rbs, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF6331E09D6B6BFB1B.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSIA1A4.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI82CC.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DFBFB6DF824FA39372.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI6995.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF0301261F3F564947.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\inprogressinstallinfo.ipi, type: DROPPED
Source: Yara match	File source: C:\Windows\System32\InstallUtil.InstallLog, type: DROPPED
Source: Yara match	File source: C:\Windows\Temp\~DF6D201690A06C6388.TMP, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI8742.tmp, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe, type: DROPPED
Source: Yara match	File source: C:\Windows\Installer\MSI6BB9.tmp-\AlphaControlAgentInstallation.dll, type: DROPPED
Source: Yara match	File source: C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe, type: DROPPED

Windows Analysis Report
5c13e6.msi

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

ID:	1564527
Product:	CloudBasic
Start time:	13:24:07
Start date:	28.11.2024
Sample:	5c13e6.msi
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	0220a7d4b82136a3c7973a627e4b5f50
SHA1:	0358023548ea3d3dd86de19abb7c2ddb15010736
SHA256:	0ef72d3570f61432dcb4f1afbb64c54775d497feaa127e5771dd550f245fd28e
Filetype:	Microsoft Windows Installer (60509/1) 57.88%

Windows Analysis Report 5c13e6.msi

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

E-Banking Fraud

Spam, unwanted Advertisements and Ransom Demands

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
5c13e6.msi